0002740
Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015
PCI Security Standards Council
Contractual Obligation
Free
PCI DSS 3.1
Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures
2015-04-01
The document as a whole was last reviewed and released on 2015-12-18T00:00:00-0800.
0002740
Free
PCI Security Standards Council
Contractual Obligation
PCI DSS 3.1
Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures
2015-04-01
The document as a whole was last reviewed and released on 2015-12-18T00:00:00-0800.
This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015 that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015 are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
Common Controls andAn Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
Audits and risk management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Audits and risk management CC ID 00677 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a risk management program. CC ID 12051 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain risk assessment procedures. CC ID 06446 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 | Establish/Maintain Documentation | Preventive | |
| Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 [Implement a risk-assessment process that: - Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.), - Identifies critical assets, threats, and vulnerabilities, and - Results in a formal, documented analysis of risk. 12.2 Implement a risk-assessment process that: - Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.), - Identifies critical assets, threats, and vulnerabilities, and - Results in a formal, documented analysis of risk. 12.2] | Technical Security | Preventive | |
| Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 [Implement a risk-assessment process that: - Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.), - Identifies critical assets, threats, and vulnerabilities, and - Results in a formal, documented analysis of risk. 12.2] | Audits and Risk Management | Preventive | |
| Perform risk assessments for all target environments, as necessary. CC ID 06452 [Implement a risk-assessment process that: - Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.), - Identifies critical assets, threats, and vulnerabilities, and - Results in a formal, documented analysis of risk. 12.2] | Testing | Preventive | |
| Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 | Establish/Maintain Documentation | Preventive | |
| Include physical assets in the scope of the risk assessment. CC ID 13075 | Establish/Maintain Documentation | Preventive | |
| Include the results of the risk assessment in the risk assessment report. CC ID 06481 [Implement a risk-assessment process that: - Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.), - Identifies critical assets, threats, and vulnerabilities, and - Results in a formal, documented analysis of risk. 12.2] | Establish/Maintain Documentation | Preventive | |
| Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 | Audits and Risk Management | Preventive | |
| Update the risk assessment upon discovery of a new threat. CC ID 00708 [Implement a risk-assessment process that: - Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.), - Identifies critical assets, threats, and vulnerabilities, and - Results in a formal, documented analysis of risk. 12.2] | Establish/Maintain Documentation | Detective | |
| Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 | Audits and Risk Management | Preventive | |
| Update the risk assessment upon changes to the risk profile. CC ID 11627 | Establish/Maintain Documentation | Detective | |
| Review the risk to the audit function when the audit personnel status changes. CC ID 01153 | Audits and Risk Management | Preventive | |
| Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 | Establish/Maintain Documentation | Preventive | |
| Create a risk assessment report based on the risk assessment results. CC ID 15695 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 | Communicate | Preventive | |
| Conduct external audits of risk assessments, as necessary. CC ID 13308 | Audits and Risk Management | Detective | |
| Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 | Communicate | Preventive | |
Human Resources management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Human Resources management CC ID 00763 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a personnel management program. CC ID 14018 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain onboarding procedures for new hires. CC ID 11760 | Establish/Maintain Documentation | Preventive | |
| Train all new hires, as necessary. CC ID 06673 [{retrain} Educate personnel upon hire and at least annually. 12.6.1] | Behavior | Preventive | |
| Establish, implement, and maintain a personnel security program. CC ID 10628 | Establish/Maintain Documentation | Preventive | |
| Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 | Testing | Detective | |
| Establish, implement, and maintain personnel screening procedures. CC ID 11700 | Establish/Maintain Documentation | Preventive | |
| Perform a background check during personnel screening. CC ID 11758 [Screen potential personnel prior to hire to minimize the risk of attacks from internal sources. (Examples of background checks include previous employment history, criminal record, credit history, and reference checks.) 12.7] | Human Resources Management | Detective | |
| Perform a personal identification check during personnel screening. CC ID 06721 | Human Resources Management | Preventive | |
| Perform a criminal records check during personnel screening. CC ID 06643 | Establish/Maintain Documentation | Preventive | |
| Include all residences in the criminal records check. CC ID 13306 | Process or Activity | Preventive | |
| Document any reasons a full criminal records check could not be performed. CC ID 13305 | Establish/Maintain Documentation | Preventive | |
| Perform a personal references check during personnel screening. CC ID 06645 | Human Resources Management | Preventive | |
| Perform a credit check during personnel screening. CC ID 06646 | Human Resources Management | Preventive | |
| Perform an academic records check during personnel screening. CC ID 06647 | Establish/Maintain Documentation | Preventive | |
| Perform a drug test during personnel screening. CC ID 06648 | Testing | Preventive | |
| Perform a resume check during personnel screening. CC ID 06659 | Human Resources Management | Preventive | |
| Perform a curriculum vitae check during personnel screening. CC ID 06660 | Human Resources Management | Preventive | |
| Establish and maintain the staff structure in line with the strategic plan. CC ID 00764 | Establish Roles | Preventive | |
| Implement segregation of duties in roles and responsibilities. CC ID 00774 [{development/test environment} The change control processes must implement Separation of duties between development/test and production environments. 6.4.2] | Testing | Detective | |
| Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical. CC ID 06960 | Technical Security | Preventive | |
| Train all personnel and third parties, as necessary. CC ID 00785 | Behavior | Preventive | |
| Establish, implement, and maintain an education methodology. CC ID 06671 | Business Processes | Preventive | |
| Retrain all personnel, as necessary. CC ID 01362 [{retrain} Educate personnel upon hire and at least annually. 12.6.1] | Behavior | Preventive | |
| Establish, implement, and maintain training plans. CC ID 00828 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a security awareness program. CC ID 11746 [Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security. 12.6] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a security awareness and training policy. CC ID 14022 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the security awareness and training policy. CC ID 14092 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the security awareness and training policy. CC ID 14091 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain security awareness and training procedures. CC ID 14054 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Communicate | Preventive | |
| Include management commitment in the security awareness and training policy. CC ID 14049 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the security awareness and training policy. CC ID 14048 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the security awareness and training policy. CC ID 14047 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the security awareness and training policy. CC ID 14045 | Establish/Maintain Documentation | Preventive | |
| Include configuration management procedures in the security awareness program. CC ID 13967 | Establish/Maintain Documentation | Preventive | |
| Include media protection in the security awareness program. CC ID 16368 | Training | Preventive | |
| Document security awareness requirements. CC ID 12146 | Establish/Maintain Documentation | Preventive | |
| Include safeguards for information systems in the security awareness program. CC ID 13046 | Establish/Maintain Documentation | Preventive | |
| Include security policies and security standards in the security awareness program. CC ID 13045 | Establish/Maintain Documentation | Preventive | |
| Include physical security in the security awareness program. CC ID 16369 | Training | Preventive | |
| Include mobile device security guidelines in the security awareness program. CC ID 11803 | Establish/Maintain Documentation | Preventive | |
| Include updates on emerging issues in the security awareness program. CC ID 13184 | Training | Preventive | |
| Include cybersecurity in the security awareness program. CC ID 13183 | Training | Preventive | |
| Include implications of non-compliance in the security awareness program. CC ID 16425 | Training | Preventive | |
| Include the acceptable use policy in the security awareness program. CC ID 15487 | Training | Preventive | |
| Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 | Establish/Maintain Documentation | Preventive | |
| Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 | Establish/Maintain Documentation | Preventive | |
| Include remote access in the security awareness program. CC ID 13892 | Establish/Maintain Documentation | Preventive | |
| Document the goals of the security awareness program. CC ID 12145 | Establish/Maintain Documentation | Preventive | |
| Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 | Human Resources Management | Preventive | |
| Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 | Human Resources Management | Preventive | |
| Document the scope of the security awareness program. CC ID 12148 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a security awareness baseline. CC ID 12147 | Establish/Maintain Documentation | Preventive | |
| Encourage interested personnel to obtain security certification. CC ID 11804 | Human Resources Management | Preventive | |
| Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 | Behavior | Preventive | |
| Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 | Behavior | Preventive | |
| Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Training | Preventive | |
| Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 [Require personnel to acknowledge at least annually that they have read and understood the security policy and procedures. 12.6.2] | Establish/Maintain Documentation | Preventive | |
| Monitor and measure the effectiveness of security awareness. CC ID 06262 | Monitor and Evaluate Occurrences | Detective | |
| Conduct secure coding and development training for developers. CC ID 06822 [Address common coding vulnerabilities in software-development processes as follows: - Train developers in secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory. - Develop applications based on secure coding guidelines. 6.5] | Behavior | Corrective | |
| Conduct tampering prevention training. CC ID 11875 [{do not replace} {do not return} Provide training for personnel to be aware of attempted tampering or replacement of devices. Training should include the following: - Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. - Do not install, replace, or return devices without verification. - Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices). - Report suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer). 9.9.3] | Training | Preventive | |
| Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877 [{do not replace} {do not return} Provide training for personnel to be aware of attempted tampering or replacement of devices. Training should include the following: - Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. - Do not install, replace, or return devices without verification. - Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices). - Report suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer). 9.9.3] | Training | Preventive | |
| Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876 [{do not replace} {do not return} Provide training for personnel to be aware of attempted tampering or replacement of devices. Training should include the following: - Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. - Do not install, replace, or return devices without verification. - Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices). - Report suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer). 9.9.3] | Training | Preventive | |
| Include how to report tampering and unauthorized substitution in the tampering prevention training. CC ID 11879 [{do not replace} {do not return} Provide training for personnel to be aware of attempted tampering or replacement of devices. Training should include the following: - Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. - Do not install, replace, or return devices without verification. - Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices). - Report suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer). 9.9.3] | Training | Preventive | |
| Include how to prevent physical tampering in the tampering prevention training. CC ID 11878 [{do not replace} {do not return} Provide training for personnel to be aware of attempted tampering or replacement of devices. Training should include the following: - Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. - Do not install, replace, or return devices without verification. - Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices). - Report suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer). 9.9.3] | Training | Preventive | |
| Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990 | Training | Preventive | |
Leadership and high level objectives | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | IT Impact Zone | IT Impact Zone | |
| Analyze organizational objectives, functions, and activities. CC ID 00598 | Monitor and Evaluate Occurrences | Preventive | |
| Monitor regulatory trends to maintain compliance. CC ID 00604 | Monitor and Evaluate Occurrences | Detective | |
| Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 [Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities. 6.1] | Technical Security | Detective | |
Monitoring and measurement | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Monitoring and measurement CC ID 00636 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain logging and monitoring operations. CC ID 00637 [Implement audit trails to link all access to system components to each individual user. 10.1] | Log Management | Detective | |
| Establish, implement, and maintain an audit and accountability policy. CC ID 14035 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the audit and accountability policy. CC ID 14103 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the audit and accountability policy. CC ID 14102 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the audit and accountability policy. CC ID 14100 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the audit and accountability policy. CC ID 14098 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the audit and accountability policy. CC ID 14097 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the audit and accountability policy. CC ID 14096 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the audit and accountability policy to interested personnel and affected parties. CC ID 14095 | Communicate | Preventive | |
| Establish, implement, and maintain audit and accountability procedures. CC ID 14057 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the audit and accountability procedures to interested personnel and affected parties. CC ID 14137 | Communicate | Preventive | |
| Enable monitoring and logging operations on all assets that meet the organizational criteria to maintain event logs. CC ID 06312 | Log Management | Preventive | |
| Review and approve the use of continuous security management systems. CC ID 13181 | Process or Activity | Preventive | |
| Protect continuous security management systems from unauthorized use. CC ID 13097 | Configuration | Preventive | |
| Monitor and evaluate system telemetry data. CC ID 14929 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain an intrusion detection and prevention program. CC ID 15211 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain intrusion management operations. CC ID 00580 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain an intrusion detection and prevention policy. CC ID 15169 | Establish/Maintain Documentation | Preventive | |
| Install and maintain an Intrusion Detection System and/or Intrusion Prevention System. CC ID 00581 [{intrusion-detection technique} {keep up to date} Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises. Keep all intrusion-detection and prevention engines, baselines, and signatures up to date. 11.4] | Configuration | Preventive | |
| Protect each person's right to privacy and civil liberties during intrusion management operations. CC ID 10035 | Behavior | Preventive | |
| Do not intercept communications of any kind when providing a service to clients. CC ID 09985 | Behavior | Preventive | |
| Determine if honeypots should be installed, and if so, where the honeypots should be placed. CC ID 00582 | Technical Security | Detective | |
| Monitor systems for inappropriate usage and other security violations. CC ID 00585 [{intrusion-detection technique} {keep up to date} Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises. Keep all intrusion-detection and prevention engines, baselines, and signatures up to date. 11.4] | Monitor and Evaluate Occurrences | Detective | |
| Monitor systems for blended attacks and multiple component incidents. CC ID 01225 | Monitor and Evaluate Occurrences | Detective | |
| Monitor systems for Denial of Service attacks. CC ID 01222 | Monitor and Evaluate Occurrences | Detective | |
| Monitor systems for unauthorized data transfers. CC ID 12971 | Monitor and Evaluate Occurrences | Preventive | |
| Address operational anomalies within the incident management system. CC ID 11633 | Audits and Risk Management | Preventive | |
| Monitor systems for access to restricted data or restricted information. CC ID 04721 [Track and monitor all access to network resources and cardholder data Requirement 10] | Monitor and Evaluate Occurrences | Detective | |
| Assign roles and responsibilities for overseeing access to restricted data or restricted information. CC ID 11950 [Formally assign information security responsibilities for: Monitor and control all access to data. 12.5.5] | Human Resources Management | Detective | |
| Detect unauthorized access to systems. CC ID 06798 | Monitor and Evaluate Occurrences | Detective | |
| Incorporate potential red flags into the organization's incident management system. CC ID 04652 | Monitor and Evaluate Occurrences | Detective | |
| Incorporate an Identity Theft Prevention Program into the organization's incident management system. CC ID 11634 | Audits and Risk Management | Preventive | |
| Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. CC ID 06430 [{intrusion-detection technique} {keep up to date} Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises. Keep all intrusion-detection and prevention engines, baselines, and signatures up to date. 11.4] | Monitor and Evaluate Occurrences | Detective | |
| Alert interested personnel and affected parties when an incident causes an outage. CC ID 06808 | Monitor and Evaluate Occurrences | Detective | |
| Monitor systems for unauthorized mobile code. CC ID 10034 | Monitor and Evaluate Occurrences | Preventive | |
| Update the intrusion detection capabilities and the incident response capabilities regularly. CC ID 04653 [{intrusion-detection technique} {keep up to date} Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises. Keep all intrusion-detection and prevention engines, baselines, and signatures up to date. 11.4] | Technical Security | Preventive | |
| Implement honeyclients to proactively seek for malicious websites and malicious code. CC ID 10658 | Technical Security | Preventive | |
| Implement detonation chambers, where appropriate. CC ID 10670 | Technical Security | Preventive | |
| Define and assign log management roles and responsibilities. CC ID 06311 | Establish Roles | Preventive | |
| Document and communicate the log locations to the owning entity. CC ID 12047 | Log Management | Preventive | |
| Make logs available for review by the owning entity. CC ID 12046 | Log Management | Preventive | |
| Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 | Log Management | Detective | |
| Establish, implement, and maintain an event logging policy. CC ID 15217 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain event logging procedures. CC ID 01335 | Log Management | Detective | |
| Include the system components that generate audit records in the event logging procedures. CC ID 16426 | Data and Information Management | Preventive | |
| Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643 | Log Management | Preventive | |
| Protect the event logs from failure. CC ID 06290 | Log Management | Preventive | |
| Overwrite the oldest records when audit logging fails. CC ID 14308 | Data and Information Management | Preventive | |
| Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427 | Testing | Preventive | |
| Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774 | Establish/Maintain Documentation | Corrective | |
| Include identity information of suspects in the suspicious activity report. CC ID 16648 | Establish/Maintain Documentation | Preventive | |
| Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424 | Audits and Risk Management | Preventive | |
| Review and update event logs and audit logs, as necessary. CC ID 00596 [Review logs and security events for all system components to identify anomalies or suspicious activity. 10.6 Review logs of all other system components periodically based on the organization’s policies and risk management strategy, as determined by the organization’s annual risk assessment. 10.6.2 Review the following at least daily: - All security events - Logs of all system components that store, process, or transmit CHD and/or SAD - Logs of all critical system components - Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.). 10.6.1 Review the following at least daily: - All security events - Logs of all system components that store, process, or transmit CHD and/or SAD - Logs of all critical system components - Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.). 10.6.1 Review the following at least daily: - All security events - Logs of all system components that store, process, or transmit CHD and/or SAD - Logs of all critical system components - Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.). 10.6.1 Review the following at least daily: - All security events - Logs of all system components that store, process, or transmit CHD and/or SAD - Logs of all critical system components - Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.). 10.6.1] | Log Management | Detective | |
| Eliminate false positives in event logs and audit logs. CC ID 07047 | Log Management | Corrective | |
| Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207 | Log Management | Detective | |
| Identify cybersecurity events in event logs and audit logs. CC ID 13206 | Technical Security | Detective | |
| Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925 [Follow up exceptions and anomalies identified during the review process. 10.6.3] | Investigate | Corrective | |
| Reproduce the event log if a log failure is captured. CC ID 01426 | Log Management | Preventive | |
| Document the event information to be logged in the event information log specification. CC ID 00639 | Configuration | Preventive | |
| Enable logging for all systems that meet a traceability criteria. CC ID 00640 [Ensure logging and audit trails are enabled and unique to each entity’s cardholder data environment and consistent with PCI DSS Requirement 10. A.1.3] | Log Management | Detective | |
| Enable the logging capability to capture enough information to ensure the system is functioning according to its intended purpose throughout its life cycle. CC ID 15001 | Configuration | Preventive | |
| Enable and configure logging on all network access controls. CC ID 01963 | Configuration | Preventive | |
| Analyze firewall logs for the correct capturing of data. CC ID 00549 | Log Management | Detective | |
| Synchronize system clocks to an accurate and universal time source on all devices. CC ID 01340 [Using time-synchronization technology, synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distributing, and storing time. 10.4 Use time-synchronization technology to ensure Critical systems have the correct and consistent time. 10.4.1] | Configuration | Preventive | |
| Centralize network time servers to as few as practical. CC ID 06308 | Configuration | Preventive | |
| Disseminate and communicate information to customers about clock synchronization methods used by the organization. CC ID 13044 | Communicate | Preventive | |
| Define the frequency to capture and log events. CC ID 06313 | Log Management | Preventive | |
| Include logging frequencies in the event logging procedures. CC ID 00642 | Log Management | Preventive | |
| Review and update the list of auditable events in the event logging procedures. CC ID 10097 | Establish/Maintain Documentation | Preventive | |
| Monitor and evaluate system performance. CC ID 00651 | Monitor and Evaluate Occurrences | Detective | |
| Disseminate and communicate monitoring capabilities with interested personnel and affected parties. CC ID 13156 | Communicate | Preventive | |
| Disseminate and communicate statistics on resource usage with interested personnel and affected parties. CC ID 13155 | Communicate | Preventive | |
| Monitor for and react to when suspicious activities are detected. CC ID 00586 | Monitor and Evaluate Occurrences | Detective | |
| Erase payment applications when suspicious activity is confirmed. CC ID 12193 | Technical Security | Corrective | |
| Report a data loss event when non-truncated payment card numbers are outputted. CC ID 04741 | Establish/Maintain Documentation | Corrective | |
| Report a data loss event after a security incident is detected and there are indications that the unauthorized person has control of electronic information. CC ID 04727 | Monitor and Evaluate Occurrences | Corrective | |
| Report a data loss event after a security incident is detected and there are indications that the unauthorized person has control of printed records. CC ID 04728 | Monitor and Evaluate Occurrences | Corrective | |
| Report a data loss event after a security incident is detected and there are indications that the unauthorized person has accessed information in either paper or electronic form. CC ID 04740 | Monitor and Evaluate Occurrences | Corrective | |
| Report a data loss event after a security incident is detected and there are indications that the information has been or will likely be used in an unauthorized manner. CC ID 04729 | Monitor and Evaluate Occurrences | Corrective | |
| Report a data loss event after a security incident is detected and there are indications that the information has been or will likely be used in an unauthorized manner that could cause substantial economic impact. CC ID 04742 | Monitor and Evaluate Occurrences | Corrective | |
| Establish, implement, and maintain network monitoring operations. CC ID 16444 | Monitor and Evaluate Occurrences | Preventive | |
| Monitor and evaluate the effectiveness of detection tools. CC ID 13505 | Investigate | Detective | |
| Monitor and review retail payment activities, as necessary. CC ID 13541 | Monitor and Evaluate Occurrences | Detective | |
| Determine if high rates of retail payment activities are from Originating Depository Financial Institutions. CC ID 13546 | Investigate | Detective | |
| Review retail payment service reports, as necessary. CC ID 13545 | Investigate | Detective | |
| Assess customer satisfaction. CC ID 00652 | Testing | Detective | |
| Establish, implement, and maintain a continuous monitoring program for configuration management. CC ID 06757 | Establish/Maintain Documentation | Detective | |
| Include the correlation and analysis of information obtained during testing in the continuous monitoring program. CC ID 14250 | Process or Activity | Detective | |
| Establish, implement, and maintain an automated configuration monitoring system. CC ID 07058 | Monitor and Evaluate Occurrences | Detective | |
| Monitor for and report when a software configuration is updated. CC ID 06746 | Monitor and Evaluate Occurrences | Detective | |
| Notify the appropriate personnel when the software configuration is updated absent authorization. CC ID 04886 | Monitor and Evaluate Occurrences | Detective | |
| Monitor for firmware updates absent authorization. CC ID 10675 | Monitor and Evaluate Occurrences | Detective | |
| Implement file integrity monitoring. CC ID 01205 [{file integrity monitoring software} Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). 10.5.5 Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly. 11.5] | Monitor and Evaluate Occurrences | Detective | |
| Identify unauthorized modifications during file integrity monitoring. CC ID 12096 | Technical Security | Detective | |
| Monitor for software configurations updates absent authorization. CC ID 10676 | Monitor and Evaluate Occurrences | Preventive | |
| Allow expected changes during file integrity monitoring. CC ID 12090 | Technical Security | Preventive | |
| Monitor for when documents are being updated absent authorization. CC ID 10677 | Monitor and Evaluate Occurrences | Preventive | |
| Include a change history and identify who made the changes in the file integrity monitoring report. CC ID 12091 | Establish/Maintain Documentation | Preventive | |
| Alert interested personnel and affected parties when an unauthorized modification to critical files is detected. CC ID 12045 | Process or Activity | Preventive | |
| Monitor and evaluate user account activity. CC ID 07066 | Monitor and Evaluate Occurrences | Detective | |
| Develop and maintain a usage profile for each user account. CC ID 07067 | Technical Security | Preventive | |
| Log account usage to determine dormant accounts. CC ID 12118 | Log Management | Detective | |
| Log account usage times. CC ID 07099 | Log Management | Detective | |
| Generate daily reports of user logons during hours outside of their usage profile. CC ID 07068 | Monitor and Evaluate Occurrences | Detective | |
| Generate daily reports of users who have grossly exceeded their usage profile logon duration. CC ID 07069 | Monitor and Evaluate Occurrences | Detective | |
| Log account usage durations. CC ID 12117 | Monitor and Evaluate Occurrences | Detective | |
| Notify the appropriate personnel after identifying dormant accounts. CC ID 12125 | Communicate | Detective | |
| Log Internet Protocol addresses used during logon. CC ID 07100 | Log Management | Detective | |
| Report red flags when logon credentials are used on a computer different from the one in the usage profile. CC ID 07070 | Monitor and Evaluate Occurrences | Detective | |
| Report inappropriate usage of user accounts to the appropriate personnel. CC ID 14243 | Communicate | Detective | |
| Establish, implement, and maintain a risk monitoring program. CC ID 00658 | Establish/Maintain Documentation | Preventive | |
| Monitor the organization's exposure to threats, as necessary. CC ID 06494 [Implement a methodology for penetration testing that includes the following: - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes testing to validate any segmentation and scope-reduction controls - Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 - Defines network-layer penetration tests to include components that support network functions as well as operating systems - Includes review and consideration of threats and vulnerabilities experienced in the last 12 months - Specifies retention of penetration testing results and remediation activities results. 11.3] | Monitor and Evaluate Occurrences | Preventive | |
| Monitor and evaluate environmental threats. CC ID 13481 | Monitor and Evaluate Occurrences | Detective | |
| Monitor for new vulnerabilities. CC ID 06843 [Implement a methodology for penetration testing that includes the following: - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes testing to validate any segmentation and scope-reduction controls - Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 - Defines network-layer penetration tests to include components that support network functions as well as operating systems - Includes review and consideration of threats and vulnerabilities experienced in the last 12 months - Specifies retention of penetration testing results and remediation activities results. 11.3] | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain a testing program. CC ID 00654 [{make known} Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties. 11.6 {make known} Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties. 11.6] | Behavior | Preventive | |
| Conduct Red Team exercises, as necessary. CC ID 12131 | Technical Security | Detective | |
| Establish, implement, and maintain a security assessment and authorization policy. CC ID 14031 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a scoring method for Red Team exercise results. CC ID 12136 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the security assessment and authorization policy. CC ID 14222 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the security assessment and authorization policy. CC ID 14220 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the security assessment and authorization policy. CC ID 14219 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the security assessment and authorization policy to interested personnel and affected parties. CC ID 14218 | Communicate | Preventive | |
| Include management commitment in the security assessment and authorization policy. CC ID 14189 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the security assessment and authorization policy. CC ID 14183 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the security assessment and authorization policy. CC ID 14179 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain security assessment and authorization procedures. CC ID 14056 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate security assessment and authorization procedures to interested personnel and affected parties. CC ID 14224 | Communicate | Preventive | |
| Employ third parties to carry out testing programs, as necessary. CC ID 13178 | Human Resources Management | Preventive | |
| Test security systems and associated security procedures, as necessary. CC ID 11901 [Regularly test security systems and processes. Requirement 11] | Technical Security | Detective | |
| Document improvement actions based on test results and exercises. CC ID 16840 | Establish/Maintain Documentation | Preventive | |
| Test in scope systems for segregation of duties, as necessary. CC ID 13906 | Testing | Detective | |
| Define the test requirements for each testing program. CC ID 13177 | Establish/Maintain Documentation | Preventive | |
| Include test requirements for the use of human subjects in the testing program. CC ID 16222 | Testing | Preventive | |
| Test the in scope system in accordance with its intended purpose. CC ID 14961 | Testing | Preventive | |
| Perform network testing in accordance with organizational standards. CC ID 16448 | Testing | Preventive | |
| Test user accounts in accordance with organizational standards. CC ID 16421 | Testing | Preventive | |
| Identify risk management measures when testing in scope systems. CC ID 14960 | Process or Activity | Detective | |
| Scan organizational networks for rogue devices. CC ID 00536 | Testing | Detective | |
| Include mechanisms for emergency stops in the testing program. CC ID 14398 | Establish/Maintain Documentation | Preventive | |
| Scan the network for wireless access points. CC ID 00370 [Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on a quarterly basis. 11.1] | Testing | Detective | |
| Document the business need justification for authorized wireless access points. CC ID 12044 | Establish/Maintain Documentation | Preventive | |
| Scan wireless networks for rogue devices. CC ID 11623 | Technical Security | Detective | |
| Test the wireless device scanner's ability to detect rogue devices. CC ID 06859 | Testing | Detective | |
| Implement incident response procedures when rogue devices are discovered. CC ID 11880 [Implement incident response procedures in the event unauthorized wireless access points are detected. 11.1.2] | Technical Security | Corrective | |
| Alert appropriate personnel when rogue devices are discovered on the network. CC ID 06428 | Monitor and Evaluate Occurrences | Corrective | |
| Deny network access to rogue devices until network access approval has been received. CC ID 11852 | Configuration | Preventive | |
| Isolate rogue devices after a rogue device has been detected. CC ID 07061 | Configuration | Corrective | |
| Establish, implement, and maintain conformity assessment procedures. CC ID 15032 | Establish/Maintain Documentation | Preventive | |
| Share conformity assessment results with affected parties and interested personnel. CC ID 15113 | Communicate | Preventive | |
| Notify affected parties and interested personnel of technical documentation assessment certificates that have been issued. CC ID 15112 | Communicate | Preventive | |
| Notify affected parties and interested personnel of technical documentation assessment certificates that have been refused, withdrawn, suspended or restricted. CC ID 15111 | Communicate | Preventive | |
| Create technical documentation assessment certificates in an official language. CC ID 15110 | Establish/Maintain Documentation | Preventive | |
| Opt out of third party conformity assessments when the system meets harmonized standards. CC ID 15096 | Testing | Preventive | |
| Perform conformity assessments, as necessary. CC ID 15095 | Testing | Detective | |
| Define the test frequency for each testing program. CC ID 13176 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a port scan baseline for all in scope systems. CC ID 12134 | Technical Security | Detective | |
| Compare port scan reports for in scope systems against their port scan baseline. CC ID 12162 | Establish/Maintain Documentation | Detective | |
| Establish, implement, and maintain a stress test program for identification cards or badges. CC ID 15424 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a penetration test program. CC ID 01105 | Behavior | Preventive | |
| Disseminate and communicate the testing program to all interested personnel and affected parties. CC ID 11871 [{make known} Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties. 11.6] | Communicate | Preventive | |
| Align the penetration test program with industry standards. CC ID 12469 [Implement a methodology for penetration testing that includes the following: - Is based on BC;" class="term_primary-noun">industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes testing to validate any segmentation and scope-reduction controls - Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 - Defines network-layer penetration tests to include components that support network functions as well as operating systems - Includes review and consideration of threats and vulnerabilities experienced in the last 12 months - Specifies retention of penetration testing results and remediation activities results. 11.3] | Establish/Maintain Documentation | Preventive | |
| Assign penetration testing to a qualified internal resource or external third party. CC ID 06429 | Establish Roles | Preventive | |
| Establish, implement, and maintain a penetration testing methodology that validates scope-reduction controls through network segmentation. CC ID 11958 [Implement a methodology for penetration testing that includes the following: - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes testing to validate any segmentation and scope-reduction controls - Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 - Defines network-layer penetration tests to include components that support network functions as well as operating systems - Includes review and consideration of threats and vulnerabilities experienced in the last 12 months - Specifies retention of penetration testing results and remediation activities results. 11.3] | Testing | Preventive | |
| Retain penetration test results according to internal policy. CC ID 10049 [Implement a methodology for penetration testing that includes the following: - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes testing to validate any segmentation and scope-reduction controls - Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 - Defines network-layer penetration tests to include components that support network functions as well as operating systems - Includes review and consideration of threats and vulnerabilities experienced in the last 12 months - Specifies retention of penetration testing results and remediation activities results. 11.3] | Records Management | Preventive | |
| Retain penetration test remediation action records according to internal policy. CC ID 11629 [Implement a methodology for penetration testing that includes the following: - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes testing to validate any segmentation and scope-reduction controls - Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 - Defines network-layer penetration tests to include components that support network functions as well as operating systems - Includes review and consideration of threats and vulnerabilities experienced in the last 12 months - Specifies retention of penetration testing results and remediation activities results. 11.3] | Records Management | Preventive | |
| Use dedicated user accounts when conducting penetration testing. CC ID 13728 | Testing | Detective | |
| Remove dedicated user accounts after penetration testing is concluded. CC ID 13729 | Testing | Corrective | |
| Perform penetration tests, as necessary. CC ID 00655 [If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE. 11.3.4 Implement a methodology for penetration testing that includes the following: - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes testing to validate any segmentation and scope-reduction controls - Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 - Defines network-layer penetration tests to include components that support network functions as well as operating systems - Includes review and consideration of threats and vulnerabilities experienced in the last 12 months - Specifies retention of penetration testing results and remediation activities results. 11.3] | Testing | Detective | |
| Perform internal penetration tests, as necessary. CC ID 12471 [Perform internal penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment). 11.3.2] | Technical Security | Detective | |
| Perform external penetration tests, as necessary. CC ID 12470 [Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment). 11.3.1] | Technical Security | Detective | |
| Include coverage of all in scope systems during penetration testing. CC ID 11957 [Implement a methodology for penetration testing that includes the following: - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes testing to validate any segmentation and scope-reduction controls - Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 - Defines network-layer penetration tests to include components that support network functions as well as operating systems - Includes review and consideration of threats and vulnerabilities experienced in the last 12 months - Specifies retention of penetration testing results and remediation activities results. 11.3] | Testing | Detective | |
| Test the system for broken access controls. CC ID 01319 | Testing | Detective | |
| Test the system for broken authentication and session management. CC ID 01320 | Testing | Detective | |
| Test the system for insecure communications. CC ID 00535 | Testing | Detective | |
| Test the system for cross-site scripting attacks. CC ID 01321 | Testing | Detective | |
| Test the system for buffer overflows. CC ID 01322 | Testing | Detective | |
| Test the system for injection flaws. CC ID 01323 | Testing | Detective | |
| Ensure protocols are free from injection flaws. CC ID 16401 | Process or Activity | Preventive | |
| Test the system for Denial of Service. CC ID 01326 | Testing | Detective | |
| Test the system for insecure configuration management. CC ID 01327 | Testing | Detective | |
| Perform network-layer penetration testing on all systems, as necessary. CC ID 01277 [Implement a methodology for penetration testing that includes the following: - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes testing to validate any segmentation and scope-reduction controls - Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 - Defines network-layer penetration tests to include components that support network functions as well as operating systems - Includes review and consideration of threats and vulnerabilities experienced in the last 12 months - Specifies retention of penetration testing results and remediation activities results. 11.3] | Testing | Detective | |
| Test the system for cross-site request forgery. CC ID 06296 | Testing | Detective | |
| Perform application-layer penetration testing on all systems, as necessary. CC ID 11630 [Implement a methodology for penetration testing that includes the following: - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes testing to validate any segmentation and scope-reduction controls - Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 - Defines network-layer penetration tests to include components that support network functions as well as operating systems - Includes review and consideration of threats and vulnerabilities experienced in the last 12 months - Specifies retention of penetration testing results and remediation activities results. 11.3] | Technical Security | Detective | |
| Perform penetration testing on segmentation controls, as necessary. CC ID 12498 | Technical Security | Detective | |
| Verify segmentation controls are operational and effective. CC ID 12545 | Audits and Risk Management | Detective | |
| Repeat penetration testing, as necessary. CC ID 06860 [Exploitable vulnerabilities found during penetration testing are corrected and testing is repeated to verify the corrections. 11.3.3] | Testing | Detective | |
| Test the system for covert channels. CC ID 10652 | Testing | Detective | |
| Estimate the maximum bandwidth of any covert channels. CC ID 10653 | Technical Security | Detective | |
| Reduce the maximum bandwidth of covert channels. CC ID 10655 | Technical Security | Corrective | |
| Test systems to determine which covert channels might be exploited. CC ID 10654 | Testing | Detective | |
| Establish, implement, and maintain a business line testing strategy. CC ID 13245 | Establish/Maintain Documentation | Preventive | |
| Include facilities in the business line testing strategy. CC ID 13253 | Establish/Maintain Documentation | Preventive | |
| Include electrical systems in the business line testing strategy. CC ID 13251 | Establish/Maintain Documentation | Preventive | |
| Include mechanical systems in the business line testing strategy. CC ID 13250 | Establish/Maintain Documentation | Preventive | |
| Include Heating Ventilation and Air Conditioning systems in the business line testing strategy. CC ID 13248 | Establish/Maintain Documentation | Preventive | |
| Include emergency power supplies in the business line testing strategy. CC ID 13247 | Establish/Maintain Documentation | Preventive | |
| Include environmental controls in the business line testing strategy. CC ID 13246 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a vulnerability management program. CC ID 15721 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a vulnerability assessment program. CC ID 11636 | Establish/Maintain Documentation | Preventive | |
| Perform vulnerability scans, as necessary. CC ID 11637 | Technical Security | Detective | |
| Repeat vulnerability scanning, as necessary. CC ID 11646 [Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). Perform rescans as needed, until passing scans are achieved. 11.2.2] | Testing | Detective | |
| Identify and document security vulnerabilities. CC ID 11857 [For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: - Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes - Installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic. 6.6 For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software. 5.1.2] | Technical Security | Detective | |
| Rank discovered vulnerabilities. CC ID 11940 [Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities. 6.1] | Investigate | Detective | |
| Use dedicated user accounts when conducting vulnerability scans. CC ID 12098 | Technical Security | Preventive | |
| Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638 [Perform quarterly internal vulnerability scans and rescans as needed, until all “high-risk” vulnerabilities (as identified in Requirement 6.1) are resolved. Scans must be performed by qualified personnel. 11.2.1 {internal vulnerability scan} {external vulnerability scan} Perform internal and external scans, and rescans as needed, after any significant change. Scans must be performed by qualified personnel. 11.2.3] | Technical Security | Detective | |
| Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the vulnerability scan results to interested personnel and affected parties. CC ID 16418 | Communicate | Preventive | |
| Maintain vulnerability scan reports as organizational records. CC ID 12092 | Records Management | Preventive | |
| Correlate vulnerability scan reports from the various systems. CC ID 10636 | Technical Security | Detective | |
| Perform internal vulnerability scans, as necessary. CC ID 00656 [{internal network vulnerability scan} Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades). 11.2 Perform quarterly internal vulnerability scans and rescans as needed, until all “high-risk” vulnerabilities (as identified in Requirement 6.1) are resolved. Scans must be performed by qualified personnel. 11.2.1 {internal vulnerability scan} {external vulnerability scan} Perform internal and external scans, and rescans as needed, after any significant change. Scans must be performed by qualified personnel. 11.2.3] | Testing | Detective | |
| Perform vulnerability scans prior to installing payment applications. CC ID 12192 | Technical Security | Detective | |
| Implement scanning tools, as necessary. CC ID 14282 | Technical Security | Detective | |
| Update the vulnerability scanners' vulnerability list. CC ID 10634 | Configuration | Corrective | |
| Repeat vulnerability scanning after an approved change occurs. CC ID 12468 [{internal vulnerability scan} {external vulnerability scan} Perform internal and external scans, and rescans as needed, after any significant change. Scans must be performed by qualified personnel. 11.2.3] | Technical Security | Detective | |
| Perform external vulnerability scans, as necessary. CC ID 11624 [{internal network vulnerability scan} Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades). 11.2 {internal vulnerability scan} {external vulnerability scan} Perform internal and external scans, and rescans as needed, after any significant change. Scans must be performed by qualified personnel. 11.2.3] | Technical Security | Detective | |
| Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467 [Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) s="term_secondary-verb">approved by the Payment Card Industry Security Standards Council (PCI SSC). Perform rescans as needed, until passing scans are achieved. 11.2.2] | Business Processes | Preventive | |
| Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039 | Testing | Preventive | |
| Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635 | Technical Security | Detective | |
| Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748 | Behavior | Corrective | |
| Perform vulnerability assessments, as necessary. CC ID 11828 | Technical Security | Corrective | |
| Review applications for security vulnerabilities after the application is updated. CC ID 11938 [For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: - Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes - Installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic. 6.6] | Technical Security | Detective | |
| Test the system for unvalidated input. CC ID 01318 | Testing | Detective | |
| Test the system for proper error handling. CC ID 01324 | Testing | Detective | |
| Test the system for insecure data storage. CC ID 01325 | Testing | Detective | |
| Test the system for access control enforcement in all Uniform Resource Locators. CC ID 06297 | Testing | Detective | |
| Approve the vulnerability management program. CC ID 15722 | Process or Activity | Preventive | |
| Assign ownership of the vulnerability management program to the appropriate role. CC ID 15723 | Establish Roles | Preventive | |
| Perform penetration tests and vulnerability scans in concert, as necessary. CC ID 12111 | Technical Security | Preventive | |
| Test the system for insecure cryptographic storage. CC ID 11635 | Technical Security | Detective | |
| Perform self-tests on cryptographic modules within the system. CC ID 06537 | Testing | Detective | |
| Perform power-up tests on cryptographic modules within the system. CC ID 06538 | Testing | Detective | |
| Perform conditional tests on cryptographic modules within the system. CC ID 06539 | Testing | Detective | |
| Test in scope systems for compliance with the Configuration Baseline Documentation Record. CC ID 12130 | Configuration | Detective | |
| Recommend mitigation techniques based on vulnerability scan reports. CC ID 11639 | Technical Security | Corrective | |
| Disallow the use of payment applications when a vulnerability scan report indicates vulnerabilities are present. CC ID 12188 | Configuration | Corrective | |
| Recommend mitigation techniques based on penetration test results. CC ID 04881 | Establish/Maintain Documentation | Corrective | |
| Correct or mitigate vulnerabilities. CC ID 12497 | Technical Security | Corrective | |
| Establish, implement, and maintain an exception management process for vulnerabilities that cannot be remediated. CC ID 13859 | Technical Security | Corrective | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 [{make known} Ensure that security policies and operational procedures for monitoring all access to network resources and cardholder data are documented, in use, and known to all affected parties. 10.8] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a metrics policy. CC ID 01654 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain risk management metrics. CC ID 01656 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571 | Actionable Reports or Measurements | Detective | |
| Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866 | Business Processes | Preventive | |
| Identify information being used to support performance reviews for risk optimization. CC ID 12865 | Audits and Risk Management | Preventive | |
| Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 [Maintain a program to monitor service providers’ PCI DSS compliance status at least annually. 12.8.4] | Monitor and Evaluate Occurrences | Detective | |
| Identify and document instances of non-compliance with the compliance framework. CC ID 06499 | Establish/Maintain Documentation | Preventive | |
| Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 | Business Processes | Detective | |
| Determine the causes of compliance violations. CC ID 12401 | Investigate | Corrective | |
| Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 | Establish/Maintain Documentation | Preventive | |
| Determine if multiple compliance violations of the same type could occur. CC ID 12402 | Investigate | Detective | |
| Correct compliance violations. CC ID 13515 | Process or Activity | Corrective | |
| Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 | Investigate | Detective | |
| Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 | Behavior | Corrective | |
| Align disciplinary actions with the level of compliance violation. CC ID 12404 | Human Resources Management | Preventive | |
| Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Establish/Maintain Documentation | Preventive | |
| Include a copy of the order in the disciplinary action notice. CC ID 16606 | Establish/Maintain Documentation | Preventive | |
| Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Establish/Maintain Documentation | Preventive | |
| Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Establish/Maintain Documentation | Preventive | |
| Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Establish/Maintain Documentation | Preventive | |
| Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Establish/Maintain Documentation | Preventive | |
| Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 | Communicate | Preventive | |
| Include required information in the disciplinary action notice. CC ID 16584 | Establish/Maintain Documentation | Preventive | |
| Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Establish/Maintain Documentation | Preventive | |
| Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Establish/Maintain Documentation | Preventive | |
| Include the investigation results in the disciplinary action notice. CC ID 16581 | Establish/Maintain Documentation | Preventive | |
| Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Establish/Maintain Documentation | Preventive | |
| Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Establish/Maintain Documentation | Preventive | |
| Include contact information in the disciplinary action notice. CC ID 16578 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain compliance program metrics. CC ID 11625 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain a security program metrics program. CC ID 01660 | Establish/Maintain Documentation | Preventive | |
| Report on the policies and controls that have been implemented by management. CC ID 01670 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a key management roles metrics standard. CC ID 11631 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of security management roles that have been assigned. CC ID 01671 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a key stakeholder metrics program. CC ID 01661 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a supply chain member metrics program. CC ID 01662 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675 | Actionable Reports or Measurements | Detective | |
| Report on the Service Level Agreement performance of supply chain members. CC ID 06838 | Actionable Reports or Measurements | Preventive | |
| Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain an audit metrics program. CC ID 01664 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of audit findings that have been resolved since the last audit. CC ID 01678 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain an Information Security metrics program. CC ID 01665 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a metrics standard and template. CC ID 02157 | Establish/Maintain Documentation | Preventive | |
| Convert data into standard units before reporting metrics. CC ID 15507 | Process or Activity | Corrective | |
| Monitor compliance with the Quality Control system. CC ID 01023 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of complaints received about products or delivered services. CC ID 07199 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of Quality Assurance attained by Quality Improvement practices. CC ID 07202 | Actionable Reports or Measurements | Preventive | |
| Establish, implement, and maintain occupational health and safety management metrics program. CC ID 15915 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a policies and controls metrics program. CC ID 01666 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted. CC ID 01679 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of personnel who are assigned and acknowledged responsibilities for approved policies, standards, and procedures. CC ID 01680 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of policy compliance reviews for which no compliance violations were noted. CC ID 01681 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of senior management or business unit heads who have implemented operational compliance procedures. CC ID 01682 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a security roles and responsibilities metrics program. CC ID 01667 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of role descriptions that define the Information Awareness roles for Security Managers and administrators. CC ID 01685 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of role descriptions that define the information awareness roles for interested personnel. CC ID 01686 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of role descriptions that define the information awareness roles for end users. CC ID 01687 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of performance reviews that include the evaluation of Information Assurance responsibilities and policy compliance. CC ID 01688 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of individuals who have access to security software, are trained, and authorized Security Administrators. CC ID 01691 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of individuals who are able to assign security privileges, are trained, and authorized Security Administrators. CC ID 01692 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a role-based information access metrics program. CC ID 01668 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of new hires who completed training ahead of being granted network access or system access. CC ID 01683 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of personnel who have completed periodic Information Assurance refresher training. CC ID 01684 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of user roles, systems, and applications that comply with the segregation of duties principle. CC ID 01689 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of individuals whose access rights have been reviewed. CC ID 01690 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of users who have access to restricted data or restricted information and have undergone a background check. CC ID 01693 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain an information risk threshold metrics program. CC ID 01694 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of critical information assets and information-dependent functions. CC ID 02040 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of critical assets and functions for which the cost of compromise has been quantified. CC ID 02041 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of identified risks that have a defined risk mitigation plan. CC ID 02042 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems with approved System Security Plans. CC ID 02145 | Actionable Reports or Measurements | Detective | |
| Monitor the supply chain for Information Assurance effectiveness. CC ID 02043 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of known Information Security risks that are related to supply chain relationships. CC ID 02044 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of critical information assets or critical functions for which access by supply chain personnel is disallowed. CC ID 02045 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of supply chain personnel who have current information asset user privileges. CC ID 02046 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems with critical information assets or functions for which electronic connection by supply chain assets is disallowed. CC ID 02047 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of security incidents that involved supply chain personnel. CC ID 02048 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of third party contracts that include a requirement to externally verify policies and procedures. CC ID 02049 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of supply chain relationships that have been reviewed for compliance with information security requirements. CC ID 02050 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain an identification and classification of information assets metrics program. CC ID 02052 | Business Processes | Preventive | |
| Report on the percentage of information assets that have been reviewed and classified. CC ID 02053 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of information assets with defined user privileges that have been assigned based on role and according to policy. CC ID 02054 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of scheduled Information Technology inventory processes that occurred on time. CC ID 02055 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059 | Business Processes | Preventive | |
| Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated. CC ID 02060 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of system architecture changes that were approved through appropriate change requests. CC ID 02061 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems that have been recertified if security controls were updated after the system was developed. CC ID 02142 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems that have completed Certification and Accreditation. CC ID 02143 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a physical environment metrics program. CC ID 02063 | Business Processes | Preventive | |
| Report on the percentage of critical organizational information assets and functions that have been reviewed from the risk to physical security perspective. CC ID 02064 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented. CC ID 02065 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of critical assets that have been reviewed from the environmental risk perspective. CC ID 02066 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of servers located in controlled access areas. CC ID 02067 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a privacy metrics program. CC ID 15494 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain environmental management system performance metrics. CC ID 15191 | Actionable Reports or Measurements | Preventive | |
| Establish, implement, and maintain waste management metrics. CC ID 16152 | Actionable Reports or Measurements | Preventive | |
| Establish, implement, and maintain emissions management metrics. CC ID 16145 | Actionable Reports or Measurements | Preventive | |
| Establish, implement, and maintain financial management metrics. CC ID 16749 | Actionable Reports or Measurements | Preventive | |
| Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a user identification and authentication metrics program. CC ID 02073 | Business Processes | Preventive | |
| Report on the percentage of unique active user identifiers. CC ID 02074 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems and applications that perform authenticator policy verification. CC ID 02086 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of active user passwords that are set to expire. CC ID 02087 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems with critical information assets that use stronger authentication than user identifiers and passwords. CC ID 02088 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a user account management metrics program. CC ID 02075 | Business Processes | Preventive | |
| Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems with account lockout thresholds set. CC ID 02091 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of inactive user accounts that have been disabled. CC ID 02092 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of users with access to shared accounts. CC ID 04573 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a user and administrator privilege management metrics program. CC ID 02076 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of active computer accounts that have had the current user privileges reviewed. CC ID 02094 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems where permission to install nonstandard software is limited. CC ID 02095 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems and applications that have user privileges and administrator privileges assigned in compliance with Role-Based Access Controls. CC ID 02096 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a Configuration Management metrics program. CC ID 02077 | Business Processes | Preventive | |
| Report on the percentage of systems for which approved configuration settings have been implemented. CC ID 02097 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems with configurations that do not deviate from approved standards. CC ID 02098 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems that are continuously monitored for compliance with the configuration standard with out-of-compliance alarms or out-of-compliance reports. CC ID 02099 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems whose configuration is compared with a previously established trusted configuration baseline. CC ID 02100 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems where the authority to make configuration changes are limited. CC ID 02101 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of system components that undergo maintenance as scheduled. CC ID 04562 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a Security Information and Event Management metrics program. CC ID 02078 | Log Management | Preventive | |
| Report on the percentage of systems for which event logging has been implemented. CC ID 02102 | Log Management | Detective | |
| Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103 | Log Management | Detective | |
| Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104 | Log Management | Detective | |
| Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a communications, e-mail, and remote access security management metrics program. CC ID 02079 | Business Processes | Preventive | |
| Report on the percentage of laptops and mobile devices that are needing to be in compliance with the approved configuration standard before granting network access. CC ID 02106 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of organizationally controlled communications channels that have been secured. CC ID 02107 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of host servers that are protected from becoming relay hosts. CC ID 02108 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of mobile users who access organizational facilities using secure communications methods. CC ID 02109 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a malicious code protection management metrics program. CC ID 02080 | Business Processes | Preventive | |
| Report on the percentage of workstations and laptops that employ automated system security tools. CC ID 02110 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of servers that employ automated system security tools. CC ID 02111 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of mobile devices that employ automated system security tools. CC ID 02112 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a software change management metrics program. CC ID 02081 | Business Processes | Preventive | |
| Report on the percentage of software changes that have been documented and approved through change request forms. CC ID 02152 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems with all approved patches installed. CC ID 02113 | Actionable Reports or Measurements | Detective | |
| Report on the mean time from patch availability to patch installation. CC ID 02114 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of software changes that were reviewed for security impacts before the software configuration is updated. CC ID 02115 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a network management and firewall management metrics program. CC ID 02082 | Business Processes | Preventive | |
| Establish, implement, and maintain a network activity baseline. CC ID 13188 | Technical Security | Detective | |
| Report on the percentage of systems configured according to the configuration standard. CC ID 02116 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of network access controls used to gain unauthorized access. CC ID 04572 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a data encryption management metrics program. CC ID 02083 | Business Processes | Preventive | |
| Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms. CC ID 02117 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of mobile devices that use encryption for critical information assets. CC ID 02118 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of passwords and Personal Identification Numbers that are encrypted. CC ID 02119 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of media that passes sanitization procedure testing. CC ID 04574 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a backup management and recovery management metrics program. CC ID 02084 | Business Processes | Preventive | |
| Report on the percentage of systems with critical information assets or critical business functions that have been backed up in accordance with the backup policy and the system's continuity plan. CC ID 02120 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems with critical information assets or critical functions where restoration from a backup has been successfully demonstrated. CC ID 02121 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of backup media stored off site in secure storage. CC ID 02122 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of used backup media or archive media sanitized prior to reuse or disposal. CC ID 02123 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 | Business Processes | Preventive | |
| Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127 | Actionable Reports or Measurements | Detective | |
| Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129 | Actionable Reports or Measurements | Detective | |
| Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564 | Actionable Reports or Measurements | Detective | |
| Delay the reporting of incident management metrics, as necessary. CC ID 15501 | Communicate | Preventive | |
| Establish, implement, and maintain an Electronic Health Records measurement metrics program. CC ID 06221 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of unique patients who had at least one medication entered using the Computerized Provider Order Entry system. CC ID 06222 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of unique patients who have diagnoses recorded as structured data into the current and active diagnoses problem list. CC ID 06223 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of permissible prescriptions that are transmitted electronically. CC ID 06224 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication list. CC ID 06225 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication allergy list. CC ID 06226 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of unique patients who have demographics recorded as structured data. CC ID 06227 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of unique patients over the age of 2 who have their height, weight, and blood pressure recorded as structured data. CC ID 06228 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of unique patients over the age of 13 who have their smoking status recorded as structured data. CC ID 06229 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of patients who are given an electronic copy of their Individually Identifiable Health Information not later than three business days after Individually Identifiable Health Information is requested. CC ID 06230 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of patients who are given clinical summaries not later than three business days after a physician office visit. CC ID 06231 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of lab test results that are incorporated into the Electronic Health Records as structured data. CC ID 06232 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of patients sixty-five years of age or older or five years of age or younger who were sent a reminder. CC ID 06233 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of unique patients who are given electronic access to their Individually Identifiable Health Information not later than four business days after their Individually Identifiable Health Information is updated. CC ID 06234 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of unique patients who are given patient-specific education resources. CC ID 06235 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of medication reconciliations that are performed if a patient is received from another setting or healthcare provider. CC ID 06236 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of summary of care records that are provided for transitions of care or referrals for patients who are transitioned or referred to another setting or healthcare provider. CC ID 06237 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of patients who receive their discharge instructions if discharge instructions are requested. CC ID 06238 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of patients 65 years of age or older who have an indication of advance directive status recorded as structured data. CC ID 06239 | Actionable Reports or Measurements | Preventive | |
| Establish, implement, and maintain a log management program. CC ID 00673 | Establish/Maintain Documentation | Preventive | |
| Deploy log normalization tools, as necessary. CC ID 12141 | Technical Security | Preventive | |
| Restrict access to logs to authorized individuals. CC ID 01342 | Log Management | Preventive | |
| Restrict access to audit trails to a need to know basis. CC ID 11641 [Limit viewing of audit trails to those with a job-related need. 10.5.1] | Technical Security | Preventive | |
| Refrain from recording unnecessary restricted data in logs. CC ID 06318 | Log Management | Preventive | |
| Back up audit trails according to backup procedures. CC ID 11642 [Promptly back up audit trail files to a centralized log server or media that is difficult to alter. 10.5.3] | Systems Continuity | Preventive | |
| Back up logs according to backup procedures. CC ID 01344 | Log Management | Preventive | |
| Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346 [Write logs for external-facing technologies onto a secure, centralized, internal log server or media device. 10.5.4] | Log Management | Preventive | |
| Identify hosts with logs that are not being stored. CC ID 06314 | Log Management | Preventive | |
| Identify hosts with logs that are being stored at the system level only. CC ID 06315 | Log Management | Preventive | |
| Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316 | Log Management | Preventive | |
| Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317 | Log Management | Preventive | |
| Protect logs from unauthorized activity. CC ID 01345 [Secure audit trails so they cannot be altered. 10.5 Protect audit trail files from unauthorized modifications. 10.5.2] | Log Management | Preventive | |
| Perform testing and validating activities on all logs. CC ID 06322 | Log Management | Preventive | |
| Archive the audit trail in accordance with compliance requirements. CC ID 00674 [Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup). 10.7] | Log Management | Preventive | |
| Enforce dual authorization as a part of information flow control for logs. CC ID 10098 | Configuration | Preventive | |
| Preserve the identity of individuals in audit trails. CC ID 10594 | Log Management | Preventive | |
| Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 | Establish/Maintain Documentation | Preventive | |
| Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 | Audits and Risk Management | Preventive | |
Operational and Systems Continuity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Operational and Systems Continuity CC ID 00731 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a business continuity program. CC ID 13210 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain system continuity plan strategies. CC ID 00735 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a critical third party list. CC ID 06815 [Maintain a list of service providers. 12.8.1] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate critical third party dependencies to interested personnel and affected parties. CC ID 06816 | Behavior | Preventive | |
| Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258 | Systems Continuity | Preventive | |
| Establish and maintain off-site electronic media storage facilities. CC ID 00957 | Physical and Environmental Protection | Preventive | |
| Review the security of the off-site electronic media storage facilities, as necessary. CC ID 00573 [{alternate site} Store media backups in a secure location, preferably an off-site facility, such as an alternate or backup site, or a commercial storage facility. Review the location’s security at least annually. 9.5.1] | Systems Continuity | Detective | |
| Store backup media at an off-site electronic media storage facility. CC ID 01332 [{alternate site} Store media backups in a secure location, preferably an off-site facility, such as an alternate or backup site, or a commercial storage facility. Review the location’s security at least annually. 9.5.1] | Data and Information Management | Preventive | |
| Transport backup media in lockable electronic media storage containers. CC ID 01264 | Data and Information Management | Preventive | |
Operational management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Operational management CC ID 00805 | IT Impact Zone | IT Impact Zone | |
| Manage cloud services. CC ID 13144 | Business Processes | Preventive | |
| Protect clients' hosted environments. CC ID 11862 [Shared hosting providers must protect each entity’s hosted environment and cardholder data. 2.6] | Physical and Environmental Protection | Preventive | |
| Notify cloud customers of the geographic locations of the cloud service organization and its assets. CC ID 13037 | Communicate | Preventive | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 [{make known} Ensure that security policies and operational procedures for protecting stored cardholder data are documented, in use, and known to all affected parties. 3.7] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties. CC ID 06955 | Behavior | Preventive | |
| Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283 | Establish/Maintain Documentation | Preventive | |
| Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861 | Acquisition/Sale of Assets or Services | Preventive | |
| Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853 | Establish/Maintain Documentation | Preventive | |
| Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915 | Process or Activity | Preventive | |
| Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895 | Process or Activity | Preventive | |
| Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809 | Audits and Risk Management | Preventive | |
| Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523 | Human Resources Management | Preventive | |
| Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524 | Human Resources Management | Preventive | |
| Establish, implement, and maintain a compliance policy. CC ID 14807 | Establish/Maintain Documentation | Preventive | |
| Include the standard of conduct and accountability in the compliance policy. CC ID 14813 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the compliance policy. CC ID 14812 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the compliance policy. CC ID 14811 | Establish/Maintain Documentation | Preventive | |
| Include a commitment to continual improvement in the compliance policy. CC ID 14810 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809 | Communicate | Preventive | |
| Include management commitment in the compliance policy. CC ID 14808 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a governance policy. CC ID 15587 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625 | Communicate | Preventive | |
| Include a commitment to continuous improvement in the governance policy. CC ID 15595 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the governance policy. CC ID 15594 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a positive information control environment. CC ID 00813 | Business Processes | Preventive | |
| Make compliance and governance decisions in a timely manner. CC ID 06490 | Behavior | Preventive | |
| Establish, implement, and maintain an internal control framework. CC ID 00820 | Establish/Maintain Documentation | Preventive | |
| Define the scope for the internal control framework. CC ID 16325 | Business Processes | Preventive | |
| Review the relevance of information supporting internal controls. CC ID 12420 | Business Processes | Detective | |
| Measure policy compliance when reviewing the internal control framework. CC ID 06442 | Actionable Reports or Measurements | Corrective | |
| Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 | Establish Roles | Preventive | |
| Assign resources to implement the internal control framework. CC ID 00816 | Business Processes | Preventive | |
| Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 | Establish Roles | Preventive | |
| Establish, implement, and maintain a baseline of internal controls. CC ID 12415 | Business Processes | Preventive | |
| Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Establish/Maintain Documentation | Preventive | |
| Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Establish/Maintain Documentation | Preventive | |
| Leverage actionable information to support internal controls. CC ID 12414 | Business Processes | Preventive | |
| Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 | Establish/Maintain Documentation | Preventive | |
| Include continuous service account management procedures in the internal control framework. CC ID 13860 | Establish/Maintain Documentation | Preventive | |
| Include threat assessment in the internal control framework. CC ID 01347 | Establish/Maintain Documentation | Preventive | |
| Automate threat assessments, as necessary. CC ID 06877 | Configuration | Preventive | |
| Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 | Establish/Maintain Documentation | Preventive | |
| Automate vulnerability management, as necessary. CC ID 11730 | Configuration | Preventive | |
| Include personnel security procedures in the internal control framework. CC ID 01349 | Establish/Maintain Documentation | Preventive | |
| Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 | Establish/Maintain Documentation | Preventive | |
| Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 | Establish/Maintain Documentation | Preventive | |
| Include security information sharing procedures in the internal control framework. CC ID 06489 | Establish/Maintain Documentation | Preventive | |
| Share security information with interested personnel and affected parties. CC ID 11732 | Communicate | Preventive | |
| Evaluate information sharing partners, as necessary. CC ID 12749 | Process or Activity | Preventive | |
| Include security incident response procedures in the internal control framework. CC ID 01359 | Establish/Maintain Documentation | Preventive | |
| Include incident response escalation procedures in the internal control framework. CC ID 11745 | Establish/Maintain Documentation | Preventive | |
| Include continuous user account management procedures in the internal control framework. CC ID 01360 | Establish/Maintain Documentation | Preventive | |
| Include emergency response procedures in the internal control framework. CC ID 06779 | Establish/Maintain Documentation | Detective | |
| Authorize and document all exceptions to the internal control framework. CC ID 06781 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 | Communicate | Preventive | |
| Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835 | Communicate | Preventive | |
| Establish, implement, and maintain a cybersecurity policy. CC ID 16833 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an information security program. CC ID 00812 | Establish/Maintain Documentation | Preventive | |
| Include physical safeguards in the information security program. CC ID 12375 | Establish/Maintain Documentation | Preventive | |
| Include technical safeguards in the information security program. CC ID 12374 | Establish/Maintain Documentation | Preventive | |
| Include administrative safeguards in the information security program. CC ID 12373 | Establish/Maintain Documentation | Preventive | |
| Include system development in the information security program. CC ID 12389 | Establish/Maintain Documentation | Preventive | |
| Include system maintenance in the information security program. CC ID 12388 | Establish/Maintain Documentation | Preventive | |
| Include system acquisition in the information security program. CC ID 12387 | Establish/Maintain Documentation | Preventive | |
| Include access control in the information security program. CC ID 12386 | Establish/Maintain Documentation | Preventive | |
| Review and approve access controls, as necessary. CC ID 13074 | Process or Activity | Detective | |
| Include operations management in the information security program. CC ID 12385 | Establish/Maintain Documentation | Preventive | |
| Include communication management in the information security program. CC ID 12384 | Establish/Maintain Documentation | Preventive | |
| Include environmental security in the information security program. CC ID 12383 | Establish/Maintain Documentation | Preventive | |
| Include physical security in the information security program. CC ID 12382 | Establish/Maintain Documentation | Preventive | |
| Include human resources security in the information security program. CC ID 12381 | Establish/Maintain Documentation | Preventive | |
| Include asset management in the information security program. CC ID 12380 | Establish/Maintain Documentation | Preventive | |
| Include a continuous monitoring program in the information security program. CC ID 14323 | Establish/Maintain Documentation | Preventive | |
| Include change management procedures in the continuous monitoring plan. CC ID 16227 | Establish/Maintain Documentation | Preventive | |
| include recovery procedures in the continuous monitoring plan. CC ID 16226 | Establish/Maintain Documentation | Preventive | |
| Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Establish/Maintain Documentation | Preventive | |
| Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Establish/Maintain Documentation | Preventive | |
| Include how the information security department is organized in the information security program. CC ID 12379 | Establish/Maintain Documentation | Preventive | |
| Include risk management in the information security program. CC ID 12378 | Establish/Maintain Documentation | Preventive | |
| Include mitigating supply chain risks in the information security program. CC ID 13352 | Establish/Maintain Documentation | Preventive | |
| Provide management direction and support for the information security program. CC ID 11999 | Process or Activity | Preventive | |
| Monitor and review the effectiveness of the information security program. CC ID 12744 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain an information security policy. CC ID 11740 [Maintain a policy that addresses information security for all personnel. Requirement 12 Establish, publish, maintain, and disseminate a security policy. 12.1 Review the security policy at least annually and update the policy when the environment changes. 12.1.1 Review the security policy at least annually and update the policy when the environment changes. 12.1.1] | Establish/Maintain Documentation | Preventive | |
| Align the information security policy with the organization's risk acceptance level. CC ID 13042 | Business Processes | Preventive | |
| Include business processes in the information security policy. CC ID 16326 | Establish/Maintain Documentation | Preventive | |
| Include the information security strategy in the information security policy. CC ID 16125 | Establish/Maintain Documentation | Preventive | |
| Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the information security policy. CC ID 16120 | Establish/Maintain Documentation | Preventive | |
| Include a commitment to the information security requirements in the information security policy. CC ID 13496 | Establish/Maintain Documentation | Preventive | |
| Include information security objectives in the information security policy. CC ID 13493 | Establish/Maintain Documentation | Preventive | |
| Include the use of Cloud Services in the information security policy. CC ID 13146 | Establish/Maintain Documentation | Preventive | |
| Include notification procedures in the information security policy. CC ID 16842 | Establish/Maintain Documentation | Preventive | |
| Approve the information security policy at the organization's management level or higher. CC ID 11737 | Process or Activity | Preventive | |
| Establish, implement, and maintain information security procedures. CC ID 12006 | Business Processes | Preventive | |
| Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Communicate | Preventive | |
| Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Establish/Maintain Documentation | Preventive | |
| Define thresholds for approving information security activities in the information security program. CC ID 15702 | Process or Activity | Preventive | |
| Assign ownership of the information security program to the appropriate role. CC ID 00814 | Establish Roles | Preventive | |
| Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 [Formally assign information security responsibilities for: Establish, document, and distribute security policies and procedures. 12.5.1] | Human Resources Management | Preventive | |
| Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 [Ensure that the security policy and procedures clearly define information security responsibilities for all personnel. 12.4] | Establish/Maintain Documentation | Preventive | |
| Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 [Formally assign information security responsibilities for: Establish, document, and distribute security policies and procedures. 12.5.1] | Human Resources Management | Preventive | |
| Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 [Establish, publish, maintain, and disseminate a security policy. 12.1] | Communicate | Preventive | |
| Establish, implement, and maintain a social media governance program. CC ID 06536 | Establish/Maintain Documentation | Preventive | |
| Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Business Processes | Preventive | |
| Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Business Processes | Preventive | |
| Refrain from accepting instant messages from unknown senders. CC ID 12537 | Behavior | Preventive | |
| Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 | Establish/Maintain Documentation | Preventive | |
| Include explicit restrictions in the social media acceptable use policy. CC ID 06655 | Establish/Maintain Documentation | Preventive | |
| Include contributive content sites in the social media acceptable use policy. CC ID 06656 | Establish/Maintain Documentation | Preventive | |
| Perform social network analysis, as necessary. CC ID 14864 | Investigate | Detective | |
| Establish, implement, and maintain operational control procedures. CC ID 00831 | Establish/Maintain Documentation | Preventive | |
| Include assigning and approving operations in operational control procedures. CC ID 06382 | Establish/Maintain Documentation | Preventive | |
| Include startup processes in operational control procedures. CC ID 00833 | Establish/Maintain Documentation | Preventive | |
| Include change control processes in the operational control procedures. CC ID 16793 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a data processing run manual. CC ID 00832 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 | Establish/Maintain Documentation | Preventive | |
| Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Process or Activity | Preventive | |
| Include metrics in the standard operating procedures manual. CC ID 14988 | Establish/Maintain Documentation | Preventive | |
| Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Establish/Maintain Documentation | Preventive | |
| Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Establish/Maintain Documentation | Preventive | |
| Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Establish/Maintain Documentation | Preventive | |
| Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Establish/Maintain Documentation | Preventive | |
| Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Establish/Maintain Documentation | Preventive | |
| Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Establish/Maintain Documentation | Preventive | |
| Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Establish/Maintain Documentation | Preventive | |
| Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Establish/Maintain Documentation | Preventive | |
| Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Establish/Maintain Documentation | Preventive | |
| Include information on system performance in the standard operating procedures manual. CC ID 14965 | Establish/Maintain Documentation | Preventive | |
| Include contact details in the standard operating procedures manual. CC ID 14962 | Establish/Maintain Documentation | Preventive | |
| Include information sharing procedures in standard operating procedures. CC ID 12974 | Records Management | Preventive | |
| Establish, implement, and maintain information sharing agreements. CC ID 15645 | Business Processes | Preventive | |
| Provide support for information sharing activities. CC ID 15644 | Process or Activity | Preventive | |
| Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 | Business Processes | Preventive | |
| Update operating procedures that contribute to user errors. CC ID 06935 | Establish/Maintain Documentation | Corrective | |
| Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 | Communicate | Preventive | |
| Establish, implement, and maintain a job scheduling methodology. CC ID 00834 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a job schedule exceptions list. CC ID 00835 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a data processing continuity plan. CC ID 00836 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 [Develop usage policies for critical technologies and define proper use of these technologies. 12.3] | Establish/Maintain Documentation | Preventive | |
| Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 [Require that usage policies include: Explicit approval by authorized parties 12.3.1] | Establish/Maintain Documentation | Preventive | |
| Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 [Require that usage policies include: For personnel accessing cardholder data via remote-access technologies, prohibit the copying, moving, and storage of cardholder data onto local hard drives and removable electronic media, unless explicitly authorized for a defined business need. Where there is an authorized business need, the usage policies must require the data be protected in accordance with all applicable PCI DSS Requirements. 12.3.10] | Establish/Maintain Documentation | Preventive | |
| Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Establish/Maintain Documentation | Preventive | |
| Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Establish/Maintain Documentation | Preventive | |
| Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Establish/Maintain Documentation | Preventive | |
| Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Establish/Maintain Documentation | Preventive | |
| Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Establish/Maintain Documentation | Preventive | |
| Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 | Establish/Maintain Documentation | Preventive | |
| Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Establish/Maintain Documentation | Preventive | |
| Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 | Establish/Maintain Documentation | Preventive | |
| Include asset tags in the Acceptable Use Policy. CC ID 01354 [Require that usage policies include: A method to accurately and readily determine owner, contact information, and purpose (for example, labeling, coding, and/or inventorying of devices) 12.3.4] | Establish/Maintain Documentation | Preventive | |
| Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Establish/Maintain Documentation | Preventive | |
| Include asset use policies in the Acceptable Use Policy. CC ID 01355 [Require that usage policies include: Acceptable uses of the technology 12.3.5] | Establish/Maintain Documentation | Preventive | |
| Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 [Require that usage policies include: A list of all such devices and personnel with access 12.3.3] | Establish/Maintain Documentation | Preventive | |
| Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 [Require that usage policies include: Authentication for use of the technology 12.3.2] | Establish/Maintain Documentation | Preventive | |
| Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 [Require that usage policies include: Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use 12.3.9] | Technical Security | Preventive | |
| Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 [Require that usage policies include: For personnel accessing cardholder data via remote-access technologies, prohibit the copying, moving, and storage of cardholder data onto local hard drives and removable electronic media, unless explicitly authorized for a defined business need. Where there is an authorized business need, the usage policies must require the data be protected in accordance with all applicable PCI DSS Requirements. 12.3.10] | Establish/Maintain Documentation | Preventive | |
| Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Data and Information Management | Preventive | |
| Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 | Establish/Maintain Documentation | Preventive | |
| Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 [Require that usage policies include: Acceptable network locations for the technologies 12.3.6] | Establish/Maintain Documentation | Preventive | |
| Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 [Require that usage policies include: List of company-approved products 12.3.7] | Establish/Maintain Documentation | Preventive | |
| Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 | Establish/Maintain Documentation | Preventive | |
| Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 | Establish/Maintain Documentation | Corrective | |
| Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311 | Establish/Maintain Documentation | Preventive | |
| Include a software installation policy in the Acceptable Use Policy. CC ID 06749 | Establish/Maintain Documentation | Preventive | |
| Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 [Require that usage policies include: ">Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity 12.3.8] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 | Communicate | Preventive | |
| Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 | Establish/Maintain Documentation | Preventive | |
| Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 | Business Processes | Preventive | |
| Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 | Establish/Maintain Documentation | Preventive | |
| Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an e-mail policy. CC ID 06439 | Establish/Maintain Documentation | Preventive | |
| Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Establish/Maintain Documentation | Preventive | |
| Identify the sender in all electronic messages. CC ID 13996 | Data and Information Management | Preventive | |
| Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain nondisclosure agreements. CC ID 04536 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 | Communicate | Preventive | |
| Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 | Establish/Maintain Documentation | Preventive | |
| Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a use of information agreement. CC ID 06215 | Establish/Maintain Documentation | Preventive | |
| Include use limitations in the use of information agreement. CC ID 06244 | Establish/Maintain Documentation | Preventive | |
| Include disclosure requirements in the use of information agreement. CC ID 11735 | Establish/Maintain Documentation | Preventive | |
| Include information recipients in the use of information agreement. CC ID 06245 | Establish/Maintain Documentation | Preventive | |
| Include reporting out of scope use of information in the use of information agreement. CC ID 06246 | Establish/Maintain Documentation | Preventive | |
| Include disclosure of information in the use of information agreement. CC ID 11830 | Establish/Maintain Documentation | Preventive | |
| Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 | Establish/Maintain Documentation | Preventive | |
| Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 | Establish/Maintain Documentation | Preventive | |
| Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131 | Establish/Maintain Documentation | Preventive | |
| Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132 | Establish/Maintain Documentation | Preventive | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 [{make known} Ensure that security policies and operational procedures for monitoring all access to network resources and cardholder data are documented, in use, and known to all affected parties. 10.8 {make known} Ensure that security policies and operational procedures for identification and authentication are documented, in use, and known to all affected parties. 8.8 {make known} Ensure that security policies and operational procedures for developing and maintaining secure systems and applications are documented, in use, and known to all affected parties. 6.7 {make known} Ensure that security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties. 7.3 {make known} Ensure that security policies and operational procedures for protecting systems against malware are documented, in use, and known to all affected parties. 5.4 {make known} Ensure that security policies and operational procedures for protecting stored cardholder data are documented, in use, and known to all affected parties. 3.7 {make known} Ensure that security policies and operational procedures for encrypting transmissions of cardholder data are documented, in use, and known to all affected parties. 4.3 {make known} Ensure that security policies and operational procedures for restricting physical access to cardholder data are documented, in use, and known to all affected parties. 9.10] | Business Processes | Preventive | |
| Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 | Process or Activity | Preventive | |
| Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 | Process or Activity | Preventive | |
| Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 | Process or Activity | Preventive | |
| Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 | Process or Activity | Preventive | |
| Analyze the Governance, Risk, and Compliance approach. CC ID 12816 | Process or Activity | Preventive | |
| Analyze the organizational culture. CC ID 12899 | Process or Activity | Preventive | |
| Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 | Process or Activity | Detective | |
| Include the organizational climate in the analysis of the organizational culture. CC ID 12921 | Process or Activity | Detective | |
| Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 | Process or Activity | Detective | |
| Include employee engagement in the analysis of the organizational culture. CC ID 12914 | Behavior | Preventive | |
| Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 | Business Processes | Preventive | |
| Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 | Business Processes | Preventive | |
| Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 | Business Processes | Preventive | |
| Include skill development in the analysis of the organizational culture. CC ID 12913 | Behavior | Preventive | |
| Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 | Behavior | Preventive | |
| Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 | Business Processes | Preventive | |
| Include employee loyalty in the analysis of the organizational culture. CC ID 12911 | Behavior | Preventive | |
| Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 | Behavior | Preventive | |
| Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 | Process or Activity | Corrective | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 | Establish/Maintain Documentation | Preventive | |
| Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 | Communicate | Preventive | |
| Review systems for compliance with organizational information security policies. CC ID 12004 | Business Processes | Preventive | |
| Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 [{make known} Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties. 1.5 {make known} Ensure that security policies and operational procedures for monitoring all access to network resources and cardholder data are documented, in use, and known to all affected parties. 10.8 {make known} Ensure that security policies and operational procedures for identification and authentication are documented, in use, and known to all affected parties. 8.8 {make known} Ensure that security policies and operational procedures for developing and maintaining secure systems and applications are documented, in use, and known to all affected parties. 6.7 {make known} Ensure that security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties. 7.3 {make known} Ensure that security policies and operational procedures for protecting systems against malware are documented, in use, and known to all affected parties. 5.4 {make known} Ensure that security policies and operational procedures for protecting stored cardholder data are documented, in use, and known to all affected parties. 3.7 {make known} Ensure that security policies and operational procedures for encrypting transmissions of cardholder data are documented, in use, and known to all affected parties. 4.3 {make known} Ensure that security policies and operational procedures for restricting physical access to cardholder data are documented, in use, and known to all affected parties. 9.10] | Behavior | Preventive | |
| Establish, implement, and maintain an Asset Management program. CC ID 06630 | Business Processes | Preventive | |
| Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 | Establish/Maintain Documentation | Preventive | |
| Classify assets according to the Asset Classification Policy. CC ID 07186 [Classify media so the sensitivity of the data can be determined. 9.6.1] | Establish Roles | Preventive | |
| Classify virtual systems by type and purpose. CC ID 16332 | Business Processes | Preventive | |
| Document the decision for assigning an asset to a specific asset classification in the Asset Classification Policy. CC ID 07185 | Establish/Maintain Documentation | Preventive | |
| Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. CC ID 07184 | Establish Roles | Preventive | |
| Disallow systems from processing information, disseminating and communicating information, or storing information that is above the system's assigned asset classification. CC ID 06606 | Configuration | Preventive | |
| Assign decomposed system components the same asset classification as the originating system. CC ID 06605 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an asset inventory. CC ID 06631 [Maintain an up-to-date list of devices. The list should include the following: - Make, model of device - Location of device (for example, the address of the site or facility where the device is located) - Device serial number or other method of unique identification. 9.9.1] | Business Processes | Preventive | |
| Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 [Maintain an inventory of system components that are in scope for PCI DSS. 2.4] | Establish/Maintain Documentation | Preventive | |
| Include all account types in the Information Technology inventory. CC ID 13311 | Establish/Maintain Documentation | Preventive | |
| Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695 | Systems Design, Build, and Implementation | Preventive | |
| Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289 | Data and Information Management | Preventive | |
| Include each Information System's major applications in the Information Technology inventory. CC ID 01407 | Establish/Maintain Documentation | Preventive | |
| Categorize all major applications according to the business information they process. CC ID 07182 | Establish/Maintain Documentation | Preventive | |
| Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164 | Establish/Maintain Documentation | Preventive | |
| Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408 | Establish/Maintain Documentation | Preventive | |
| Include each Information System's minor applications in the Information Technology inventory. CC ID 01409 | Establish/Maintain Documentation | Preventive | |
| Conduct environmental surveys. CC ID 00690 | Physical and Environmental Protection | Preventive | |
| Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a hardware asset inventory. CC ID 00691 | Establish/Maintain Documentation | Preventive | |
| Include network equipment in the Information Technology inventory. CC ID 00693 [Maintain an inventory of authorized wireless access points including a documented business justification. 11.1.1] | Establish/Maintain Documentation | Preventive | |
| Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719 | Establish/Maintain Documentation | Preventive | |
| Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885 | Process or Activity | Preventive | |
| Include software in the Information Technology inventory. CC ID 00692 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a list of authorized software and versions required for each system. CC ID 12093 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a storage media inventory. CC ID 00694 [Properly maintain inventory logs of all media and conduct media inventories at least annually. 9.7.1 Properly maintain inventory logs of all media and conduct media inventories at least annually. 9.7.1] | Establish/Maintain Documentation | Preventive | |
| Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962 | Establish/Maintain Documentation | Detective | |
| Establish, implement, and maintain a records inventory and database inventory. CC ID 01260 | Establish/Maintain Documentation | Preventive | |
| Add inventoried assets to the asset register database, as necessary. CC ID 07051 | Establish/Maintain Documentation | Preventive | |
| Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052 | Monitor and Evaluate Occurrences | Corrective | |
| Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053 | Monitor and Evaluate Occurrences | Corrective | |
| Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181 | Establish/Maintain Documentation | Preventive | |
| Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054 | Technical Security | Preventive | |
| Link the authentication system to the asset inventory. CC ID 13718 | Technical Security | Preventive | |
| Record a unique name for each asset in the asset inventory. CC ID 16305 | Data and Information Management | Preventive | |
| Record the decommission date for applicable assets in the asset inventory. CC ID 14920 | Establish/Maintain Documentation | Preventive | |
| Record the status of information systems in the asset inventory. CC ID 16304 | Data and Information Management | Preventive | |
| Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301 | Data and Information Management | Preventive | |
| Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918 | Establish/Maintain Documentation | Preventive | |
| Include source code in the asset inventory. CC ID 14858 | Records Management | Preventive | |
| Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344 | Human Resources Management | Preventive | |
| Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110 | Technical Security | Detective | |
| Record the review date for applicable assets in the asset inventory. CC ID 14919 | Establish/Maintain Documentation | Preventive | |
| Record software license information for each asset in the asset inventory. CC ID 11736 | Data and Information Management | Preventive | |
| Record services for applicable assets in the asset inventory. CC ID 13733 | Establish/Maintain Documentation | Preventive | |
| Record protocols for applicable assets in the asset inventory. CC ID 13734 | Establish/Maintain Documentation | Preventive | |
| Record the software version in the asset inventory. CC ID 12196 | Establish/Maintain Documentation | Preventive | |
| Record the publisher for applicable assets in the asset inventory. CC ID 13725 | Establish/Maintain Documentation | Preventive | |
| Record the authentication system in the asset inventory. CC ID 13724 | Establish/Maintain Documentation | Preventive | |
| Tag unsupported assets in the asset inventory. CC ID 13723 | Establish/Maintain Documentation | Preventive | |
| Record the install date for applicable assets in the asset inventory. CC ID 13720 | Establish/Maintain Documentation | Preventive | |
| Record the make, model of device for applicable assets in the asset inventory. CC ID 12465 [Maintain an up-to-date list of devices. The list should include the following: - Make, model of device - Location of device (for example, the address of the site or facility where the device is located) - Device serial number or other method of unique identification. 9.9.1] | Establish/Maintain Documentation | Preventive | |
| Record the asset tag for physical assets in the asset inventory. CC ID 06632 | Establish/Maintain Documentation | Preventive | |
| Record the host name of applicable assets in the asset inventory. CC ID 13722 | Establish/Maintain Documentation | Preventive | |
| Record network ports for applicable assets in the asset inventory. CC ID 13730 | Establish/Maintain Documentation | Preventive | |
| Record the MAC address for applicable assets in the asset inventory. CC ID 13721 | Establish/Maintain Documentation | Preventive | |
| Record the operating system version for applicable assets in the asset inventory. CC ID 11748 | Data and Information Management | Preventive | |
| Record the operating system type for applicable assets in the asset inventory. CC ID 06633 | Establish/Maintain Documentation | Preventive | |
| Record rooms at external locations in the asset inventory. CC ID 16302 | Data and Information Management | Preventive | |
| Record the department associated with the asset in the asset inventory. CC ID 12084 | Establish/Maintain Documentation | Preventive | |
| Record the physical location for applicable assets in the asset inventory. CC ID 06634 [Maintain an up-to-date list of devices. The list should include the following: - Make, model of device - Location of device (for example, the address of the site or facility where the device is located) - Device serial number or other method of unique identification. 9.9.1] | Establish/Maintain Documentation | Preventive | |
| Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635 [Maintain an up-to-date list of devices. The list should include the following: - Make, model of device - Location of device (for example, the address of the site or facility where the device is located) - Device serial number or other method of unique identification. 9.9.1] | Establish/Maintain Documentation | Preventive | |
| Record the firmware version for applicable assets in the asset inventory. CC ID 12195 | Establish/Maintain Documentation | Preventive | |
| Record the related business function for applicable assets in the asset inventory. CC ID 06636 | Establish/Maintain Documentation | Preventive | |
| Record the deployment environment for applicable assets in the asset inventory. CC ID 06637 | Establish/Maintain Documentation | Preventive | |
| Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638 | Establish/Maintain Documentation | Preventive | |
| Record trusted keys and certificates in the asset inventory. CC ID 15486 | Data and Information Management | Preventive | |
| Record cipher suites and protocols in the asset inventory. CC ID 15489 | Data and Information Management | Preventive | |
| Link the software asset inventory to the hardware asset inventory. CC ID 12085 | Establish/Maintain Documentation | Preventive | |
| Record the owner for applicable assets in the asset inventory. CC ID 06640 | Establish/Maintain Documentation | Preventive | |
| Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696 | Establish/Maintain Documentation | Preventive | |
| Record all changes to assets in the asset inventory. CC ID 12190 | Establish/Maintain Documentation | Preventive | |
| Record cloud service derived data in the asset inventory. CC ID 13007 | Establish/Maintain Documentation | Preventive | |
| Include cloud service customer data in the asset inventory. CC ID 13006 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 | Business Processes | Preventive | |
| Include detection procedures in the Incident Management program. CC ID 00588 | Establish/Maintain Documentation | Preventive | |
| Respond to and triage when an incident is detected. CC ID 06942 | Monitor and Evaluate Occurrences | Detective | |
| Respond to all alerts from security systems in a timely manner. CC ID 06434 [Implement a process to respond to any alerts generated by the change-detection solution. 11.5.1] | Behavior | Corrective | |
| Include data loss event notifications in the Incident Response program. CC ID 00364 [Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum: - Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum - Specific incident response procedures - Business recovery and continuity procedures - Data backup processes - Analysis of legal requirements for reporting compromises - Coverage and responses of all critical system components - Reference or inclusion of incident response procedures from the payment brands. 12.10.1] | Establish/Maintain Documentation | Preventive | |
| Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954 [Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum: - Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum - Specific incident response procedures - Business recovery and continuity procedures - Data backup processes - Analysis of legal requirements for reporting compromises - Coverage and responses of all critical system components - Reference or inclusion of incident response procedures from the payment brands. 12.10.1] | Establish/Maintain Documentation | Preventive | |
| Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 | Behavior | Corrective | |
| Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 | Behavior | Detective | |
| Delay sending incident response notifications under predetermined conditions. CC ID 00804 | Behavior | Corrective | |
| Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Establish/Maintain Documentation | Preventive | |
| Submit written requests to delay the notification of affected parties. CC ID 16783 | Communicate | Preventive | |
| Revoke the written request to delay the notification. CC ID 16843 | Process or Activity | Preventive | |
| Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985 | Establish/Maintain Documentation | Preventive | |
| Avoid false positive incident response notifications. CC ID 04732 | Behavior | Detective | |
| Establish, implement, and maintain incident response notifications. CC ID 12975 | Establish/Maintain Documentation | Corrective | |
| Refrain from charging for providing incident response notifications. CC ID 13876 | Business Processes | Preventive | |
| Include information required by law in incident response notifications. CC ID 00802 | Establish/Maintain Documentation | Detective | |
| Title breach notifications "Notice of Data Breach". CC ID 12977 | Establish/Maintain Documentation | Preventive | |
| Display titles of incident response notifications clearly and conspicuously. CC ID 12986 | Establish/Maintain Documentation | Preventive | |
| Display headings in incident response notifications clearly and conspicuously. CC ID 12987 | Establish/Maintain Documentation | Preventive | |
| Design the incident response notification to call attention to its nature and significance. CC ID 12984 | Establish/Maintain Documentation | Preventive | |
| Use plain language to write incident response notifications. CC ID 12976 | Establish/Maintain Documentation | Preventive | |
| Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 | Establish/Maintain Documentation | Preventive | |
| Refrain from including restricted information in the incident response notification. CC ID 16806 | Actionable Reports or Measurements | Preventive | |
| Include the affected parties rights in the incident response notification. CC ID 16811 | Establish/Maintain Documentation | Preventive | |
| Include details of the investigation in incident response notifications. CC ID 12296 | Establish/Maintain Documentation | Preventive | |
| Include the issuer's name in incident response notifications. CC ID 12062 | Establish/Maintain Documentation | Preventive | |
| Include a "What Happened" heading in breach notifications. CC ID 12978 | Establish/Maintain Documentation | Preventive | |
| Include a general description of the data loss event in incident response notifications. CC ID 04734 | Establish/Maintain Documentation | Preventive | |
| Include time information in incident response notifications. CC ID 04745 | Establish/Maintain Documentation | Preventive | |
| Include the identification of the data source in incident response notifications. CC ID 12305 | Establish/Maintain Documentation | Preventive | |
| Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 | Establish/Maintain Documentation | Preventive | |
| Include the type of information that was lost in incident response notifications. CC ID 04735 | Establish/Maintain Documentation | Preventive | |
| Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 | Establish/Maintain Documentation | Preventive | |
| Include a "What We Are Doing" heading in the breach notification. CC ID 12982 | Establish/Maintain Documentation | Preventive | |
| Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 | Establish/Maintain Documentation | Preventive | |
| Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 | Establish/Maintain Documentation | Preventive | |
| Include a "For More Information" heading in breach notifications. CC ID 12981 | Establish/Maintain Documentation | Preventive | |
| Include details of the companies and persons involved in incident response notifications. CC ID 12295 | Establish/Maintain Documentation | Preventive | |
| Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 | Establish/Maintain Documentation | Preventive | |
| Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Establish/Maintain Documentation | Preventive | |
| Include any consequences in the incident response notifications. CC ID 12604 | Establish/Maintain Documentation | Preventive | |
| Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 | Establish/Maintain Documentation | Preventive | |
| Include a "What You Can Do" heading in the breach notification. CC ID 12980 | Establish/Maintain Documentation | Preventive | |
| Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 | Establish/Maintain Documentation | Detective | |
| Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Communicate | Corrective | |
| Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Business Processes | Corrective | |
| Include contact information in incident response notifications. CC ID 04739 | Establish/Maintain Documentation | Preventive | |
| Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Communicate | Preventive | |
| Send paper incident response notifications to affected parties, as necessary. CC ID 00366 | Behavior | Corrective | |
| Post the incident response notification on the organization's website. CC ID 16809 | Process or Activity | Preventive | |
| Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 | Behavior | Corrective | |
| Document the determination for providing a substitute incident response notification. CC ID 16841 | Process or Activity | Preventive | |
| Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 | Behavior | Corrective | |
| Telephone incident response notifications to affected parties, as necessary. CC ID 04650 | Behavior | Corrective | |
| Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 | Behavior | Preventive | |
| Include contact information in the substitute incident response notification. CC ID 16776 | Establish/Maintain Documentation | Preventive | |
| Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748 | Establish/Maintain Documentation | Preventive | |
| Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 | Behavior | Preventive | |
| Publish the incident response notification in a general circulation periodical. CC ID 04651 | Behavior | Corrective | |
| Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 | Behavior | Preventive | |
| Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 | Behavior | Corrective | |
| Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Communicate | Corrective | |
| Analyze security violations in Suspicious Activity Reports. CC ID 00591 | Establish/Maintain Documentation | Preventive | |
| Update the incident response procedures using the lessons learned. CC ID 01233 [Develop a process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments. 12.10.6] | Establish/Maintain Documentation | Preventive | |
| Include incident response procedures in the Incident Management program. CC ID 01218 [Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum: - Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum - Specific incident response procedures - Business recovery and continuity procedures - Data backup processes - Analysis of legal requirements for reporting compromises - Coverage and responses of all critical system components - Reference or inclusion of incident response procedures from the payment brands. 12.10.1] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 [Implement an incident response plan. Be prepared to respond immediately to a system breach. 12.10 Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum: - Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum - Specific incident response procedures - Business recovery and continuity procedures - Data backup processes - Analysis of legal requirements for reporting compromises - Coverage and responses of all critical system components - Reference or inclusion of incident response procedures from the payment brands. 12.10.1] | Establish/Maintain Documentation | Preventive | |
| Create an incident response report following an incident response. CC ID 12700 | Establish/Maintain Documentation | Preventive | |
| Include disciplinary actions taken in the incident response report. CC ID 16810 | Establish/Maintain Documentation | Preventive | |
| Include the persons responsible for the incident in the incident response report. CC ID 16808 | Establish/Maintain Documentation | Preventive | |
| Include the number of individuals the incident response notification was sent to in the incident response report. CC ID 16789 | Establish/Maintain Documentation | Preventive | |
| Include any consequences to organizational reputation and confidence due to the incident in the incident response report. CC ID 12728 | Establish/Maintain Documentation | Preventive | |
| Include the number of customers that were affected by the incident in the incident response report. CC ID 12727 | Establish/Maintain Documentation | Preventive | |
| Include investments associated with the incident in the incident response report. CC ID 12726 | Establish/Maintain Documentation | Preventive | |
| Include costs associated with the incident in the incident response report. CC ID 12725 | Establish/Maintain Documentation | Preventive | |
| Include losses due to the incident in the incident response report. CC ID 12724 | Establish/Maintain Documentation | Preventive | |
| Include a description of the impact the incident had on customer service in the incident response report. CC ID 12735 | Establish/Maintain Documentation | Preventive | |
| Include foregone revenue from the incident in the incident response report. CC ID 12723 | Establish/Maintain Documentation | Preventive | |
| Include the magnitude of the incident in the incident response report. CC ID 12722 | Establish/Maintain Documentation | Preventive | |
| Include implications of the incident in the incident response report. CC ID 12721 | Establish/Maintain Documentation | Preventive | |
| Include measures to prevent similar incidents from occurring in the incident response report. CC ID 12720 | Establish/Maintain Documentation | Preventive | |
| Include breaches of regulatory requirements due to the incident in the incident response report. CC ID 12719 | Establish/Maintain Documentation | Preventive | |
| Include information on all affected assets in the incident response report. CC ID 12718 | Establish/Maintain Documentation | Preventive | |
| Include the scope of the incident in the incident response report. CC ID 12717 | Establish/Maintain Documentation | Preventive | |
| Include the duration of the incident in the incident response report. CC ID 12716 | Establish/Maintain Documentation | Preventive | |
| Include the extent of the incident in the incident response report. CC ID 12715 | Establish/Maintain Documentation | Preventive | |
| Include measures to mitigate the root causes of the incident in the incident response report. CC ID 12714 | Establish/Maintain Documentation | Preventive | |
| Include the reasons the incident occurred in the incident response report. CC ID 12711 | Establish/Maintain Documentation | Preventive | |
| Include the frequency of similar incidents occurring in the incident response report. CC ID 12712 | Establish/Maintain Documentation | Preventive | |
| Include lessons learned from the incident in the incident response report. CC ID 12713 | Establish/Maintain Documentation | Preventive | |
| Include where the incident occurred in the incident response report. CC ID 12710 | Establish/Maintain Documentation | Preventive | |
| Include when the incident occurred in the incident response report. CC ID 12709 | Establish/Maintain Documentation | Preventive | |
| Include corrective action taken to eradicate the incident in the incident response report. CC ID 12708 | Establish/Maintain Documentation | Preventive | |
| Include a description of the impact the incident had on regulatory compliance in the incident response report. CC ID 12704 | Establish/Maintain Documentation | Preventive | |
| Include a description of the impact the incident had on operations in the incident response report. CC ID 12703 | Establish/Maintain Documentation | Preventive | |
| Include an executive summary of the incident in the incident response report. CC ID 12702 | Establish/Maintain Documentation | Preventive | |
| Include a root cause analysis of the incident in the incident response report. CC ID 12701 | Establish/Maintain Documentation | Preventive | |
| Submit the incident response report to the proper authorities in a timely manner. CC ID 12705 | Communicate | Preventive | |
| Employ tools and mechanisms to support the organization's Incident Response program. CC ID 13182 | Acquisition/Sale of Assets or Services | Preventive | |
| Define target resolution times for incident response in the Incident Response program. CC ID 13072 | Establish/Maintain Documentation | Preventive | |
| Analyze and respond to security alerts. CC ID 12504 | Business Processes | Detective | |
| Mitigate reported incidents. CC ID 12973 | Actionable Reports or Measurements | Preventive | |
| Establish, implement, and maintain an incident response plan. CC ID 12056 | Establish/Maintain Documentation | Preventive | |
| Include addressing external communications in the incident response plan. CC ID 13351 | Establish/Maintain Documentation | Preventive | |
| Include addressing internal communications in the incident response plan. CC ID 13350 | Establish/Maintain Documentation | Preventive | |
| Include change control procedures in the incident response plan. CC ID 15479 | Establish/Maintain Documentation | Preventive | |
| Include addressing information sharing in the incident response plan. CC ID 13349 | Establish/Maintain Documentation | Preventive | |
| Include dynamic reconfiguration in the incident response plan. CC ID 14306 | Establish/Maintain Documentation | Preventive | |
| Include a definition of reportable incidents in the incident response plan. CC ID 14303 | Establish/Maintain Documentation | Preventive | |
| Include the management support needed for incident response in the incident response plan. CC ID 14300 | Establish/Maintain Documentation | Preventive | |
| Include root cause analysis in the incident response plan. CC ID 16423 | Establish/Maintain Documentation | Preventive | |
| Include how incident response fits into the organization in the incident response plan. CC ID 14294 | Establish/Maintain Documentation | Preventive | |
| Include the resources needed for incident response in the incident response plan. CC ID 14292 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a cyber incident response plan. CC ID 13286 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the cyber incident response plan to interested personnel and affected parties. CC ID 16838 | Communicate | Preventive | |
| Include incident response team structures in the Incident Response program. CC ID 01237 | Establish/Maintain Documentation | Preventive | |
| Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 [{incident response team member} Designate specific personnel to be available on a 24/7 basis to respond to alerts. 12.10.3 Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum: - Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum - Specific incident response procedures - Business recovery and continuity procedures - Data backup processes - Analysis of legal requirements for reporting compromises - Coverage and responses of all critical system components - Reference or inclusion of incident response procedures from the payment brands. 12.10.1] | Establish Roles | Preventive | |
| Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 | Establish Roles | Preventive | |
| Open a priority incident request after a security breach is detected. CC ID 04838 | Testing | Corrective | |
| Activate the incident response notification procedures after a security breach is detected. CC ID 04839 | Testing | Corrective | |
| Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 | Communicate | Corrective | |
| Include the head of information security's roles and responsibilities in the Incident Response program. CC ID 01878 | Establish Roles | Preventive | |
| Include the customer database owner's roles and responsibilities in the Incident Response program. CC ID 01879 | Establish Roles | Preventive | |
| Include the online sales department's roles and responsibilities in the Incident Response program. CC ID 01880 | Establish Roles | Preventive | |
| Include the incident response point of contact for credit card payment system's roles and responsibilities in the Incident Response program. CC ID 01881 | Establish Roles | Preventive | |
| Include the organizational legal counsel's roles and responsibilities in the Incident Response program. CC ID 01882 | Establish Roles | Preventive | |
| Include the Human Resources point of contact's roles and responsibilities in the Incident Response program. CC ID 01883 | Establish Roles | Preventive | |
| Include the organizational incident response network architecture point of contact's roles and responsibilities in the Incident Response program. CC ID 01884 | Establish Roles | Preventive | |
| Include the organizational incident response public relations point of contact's roles and responsibilities in the Incident Response program. CC ID 01885 | Establish Roles | Preventive | |
| Include the organizational incident response location manager's roles and responsibilities in the Incident Response program. CC ID 01886 | Establish Roles | Preventive | |
| Assign the distribution of security alerts to the appropriate role in the incident response program. CC ID 11887 [Formally assign information security responsibilities for: Monitor and analyze security alerts and information, and distribute to appropriate personnel. 12.5.2] | Human Resources Management | Preventive | |
| Assign monitoring and analyzing the security alert when a security alert is received to the appropriate role in the incident response program. CC ID 11886 [Formally assign information security responsibilities for: Monitor and analyze security alerts and information, and distribute to appropriate personnel. 12.5.2] | Investigate | Detective | |
| Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program. CC ID 12473 [Formally assign information security responsibilities for: Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations. 12.5.3] | Establish/Maintain Documentation | Preventive | |
| Assign the distribution of incident response procedures to the appropriate role in the incident response program. CC ID 12474 [Formally assign information security responsibilities for: Establish, document, and distribute</span> security incident response and escalation procedures to ensure timely and effective handling of all situations. 12.5.3] | Communicate | Preventive | |
| Include personnel contact information in the event of an incident in the Incident Response program. CC ID 06385 | Establish/Maintain Documentation | Preventive | |
| Include what information interested personnel and affected parties need in the event of an incident in the Incident Response program. CC ID 11789 | Establish/Maintain Documentation | Preventive | |
| Include identifying remediation actions in the incident response plan. CC ID 13354 | Establish/Maintain Documentation | Preventive | |
| Include procedures for providing updated status information to the crisis management team in the incident response plan. CC ID 12776 | Establish/Maintain Documentation | Preventive | |
| Include coverage of all system components in the Incident Response program. CC ID 11955 [Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum: - Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum - Specific incident response procedures - Business recovery and continuity procedures - Data backup processes - Analysis of legal requirements for reporting compromises - Coverage and responses of all critical system components - Reference or inclusion of incident response procedures from the payment brands. 12.10.1] | Establish/Maintain Documentation | Preventive | |
| Prepare for incident response notifications. CC ID 00584 | Establish/Maintain Documentation | Preventive | |
| Include incident response team services in the Incident Response program. CC ID 11766 | Establish/Maintain Documentation | Preventive | |
| Include the incident response training program in the Incident Response program. CC ID 06750 | Establish/Maintain Documentation | Preventive | |
| Incorporate simulated events into the incident response training program. CC ID 06751 | Behavior | Preventive | |
| Incorporate realistic exercises that are tested into the incident response training program. CC ID 06753 | Behavior | Preventive | |
| Conduct incident response training. CC ID 11889 [Provide appropriate training to staff with security breach response responsibilities. 12.10.4] | Training | Preventive | |
| Establish, implement, and maintain an incident response policy. CC ID 14024 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the incident response policy. CC ID 14108 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the incident response policy. CC ID 14107 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the incident response policy. CC ID 14106 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the incident response policy. CC ID 14105 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the incident response policy. CC ID 14104 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the incident response policy. CC ID 14101 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the incident response policy to interested personnel and affected parties. CC ID 14099 | Communicate | Preventive | |
| Establish, implement, and maintain incident response procedures. CC ID 01206 | Establish/Maintain Documentation | Detective | |
| Include references to industry best practices in the incident response procedures. CC ID 11956 [Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum: - Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum - Specific incident response procedures - Business recovery and continuity procedures - Data backup processes - Analysis of legal requirements for reporting compromises - Coverage and responses of all critical system components - Reference or inclusion of incident response procedures from the payment brands. 12.10.1] | Establish/Maintain Documentation | Preventive | |
| Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949 [{intrusion detection system} {intrusion prevention system} In the incident response plan Include alerts from security monitoring systems, including but not limited to intrusion-detection, intrusion-prevention, firewalls, and file-integrity monitoring systems. 12.10.5] | Establish/Maintain Documentation | Preventive | |
| Respond when an integrity violation is detected, as necessary. CC ID 10678 | Technical Security | Corrective | |
| Shut down systems when an integrity violation is detected, as necessary. CC ID 10679 | Technical Security | Corrective | |
| Restart systems when an integrity violation is detected, as necessary. CC ID 10680 | Technical Security | Corrective | |
| Maintain contact with breach notification organizations for notification purposes in the event a privacy breach has occurred. CC ID 01213 | Behavior | Preventive | |
| Include business continuity procedures in the Incident Response program. CC ID 06433 [Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum: - Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum - Specific incident response procedures - Business recovery and continuity procedures - Data backup processes - Analysis of legal requirements for reporting compromises - Coverage and responses of all critical system components - Reference or inclusion of incident response procedures from the payment brands. 12.10.1] | Establish/Maintain Documentation | Preventive | |
| Coordinate backup procedures as defined in the system continuity plan with backup procedures necessary for incident response procedures. CC ID 06432 [Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum: - Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum - Specific incident response procedures - Business recovery and continuity procedures - Data backup processes - Analysis of legal requirements for reporting compromises - Coverage and responses of all critical system components - Reference or inclusion of incident response procedures from the payment brands. 12.10.1] | Establish/Maintain Documentation | Preventive | |
| Include consumer protection procedures in the Incident Response program. CC ID 12755 | Systems Continuity | Preventive | |
| Include the reimbursement of customers for financial losses due to incidents in the Incident Response program. CC ID 12756 | Business Processes | Preventive | |
| Establish trust between the incident response team and the end user community during an incident. CC ID 01217 | Testing | Detective | |
| Include business recovery procedures in the Incident Response program. CC ID 11774 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a digital forensic evidence framework. CC ID 08652 | Establish/Maintain Documentation | Preventive | |
| Retain collected evidence for potential future legal actions. CC ID 01235 | Records Management | Preventive | |
| Protect devices containing digital forensic evidence during transport. CC ID 08687 | Investigate | Detective | |
| Protect devices containing digital forensic evidence in sealed containers. CC ID 08685 | Investigate | Detective | |
| Establish, implement, and maintain a chain of custody for all devices containing digital forensic evidence. CC ID 08686 | Establish/Maintain Documentation | Detective | |
| Define the business scenarios that require digital forensic evidence. CC ID 08653 | Establish/Maintain Documentation | Preventive | |
| Define the circumstances for collecting digital forensic evidence. CC ID 08657 | Establish/Maintain Documentation | Preventive | |
| Conduct forensic investigations in the event of a security compromise. CC ID 11951 [Enable processes to provide for timely forensic investigation in the event of a compromise to any hosted merchant or service provider. A.1.4] | Investigate | Corrective | |
| Contact affected parties to participate in forensic investigations, as necessary. CC ID 12343 | Communicate | Detective | |
| Identify potential sources of digital forensic evidence. CC ID 08651 | Investigate | Preventive | |
| Document the legal requirements for evidence collection. CC ID 08654 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a digital forensic evidence collection program. CC ID 08655 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the digital forensic evidence collection program. CC ID 15724 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain secure storage and handling of evidence procedures. CC ID 08656 | Records Management | Preventive | |
| Prepare digital forensic equipment. CC ID 08688 | Investigate | Detective | |
| Use digital forensic equipment suitable to the circumstances. CC ID 08690 | Investigate | Detective | |
| Provide relevant user manuals for digital forensic equipment during use. CC ID 08691 | Investigate | Detective | |
| Include the hardware configuration and software configuration of the digital forensic equipment in the forensic investigation report. CC ID 08693 | Establish/Maintain Documentation | Detective | |
| Test the operation of the digital forensic equipment prior to use. CC ID 08694 | Testing | Detective | |
| Maintain digital forensic equipment for proper performance. CC ID 08689 | Investigate | Detective | |
| Collect evidence from the incident scene. CC ID 02236 | Business Processes | Corrective | |
| Include documentation of the system containing and surrounding digital forensic evidence in the forensic investigation report. CC ID 08679 | Establish/Maintain Documentation | Detective | |
| Include the configuration settings of devices associated with digital forensic evidence in the forensic investigation report. CC ID 08676 | Establish/Maintain Documentation | Detective | |
| Include the external connections to systems containing digital forensic evidence in the forensic investigation report. CC ID 08680 | Establish/Maintain Documentation | Detective | |
| Include the electronic media storage devices containing digital forensic evidence in the forensic investigation report. CC ID 08695 | Establish/Maintain Documentation | Detective | |
| Include all system components of systems containing digital forensic evidence in the forensic investigation report. CC ID 08696 | Establish/Maintain Documentation | Detective | |
| Refrain from altering the state of compromised systems when collecting digital forensic evidence. CC ID 08671 | Investigate | Detective | |
| Follow all applicable laws and principles when collecting digital forensic evidence. CC ID 08672 | Investigate | Detective | |
| Remove everyone except interested personnel and affected parties from the proximity of digital forensic evidence. CC ID 08675 | Investigate | Detective | |
| Secure devices containing digital forensic evidence. CC ID 08681 | Investigate | Detective | |
| Use a write blocker to prevent digital forensic evidence from being modified. CC ID 08692 | Investigate | Detective | |
| Capture volatile information from devices containing digital forensic evidence prior to shutdown. CC ID 08684 | Investigate | Detective | |
| Create a system image of the device before collecting digital forensic evidence. CC ID 08673 | Investigate | Detective | |
| Shut down stand alone devices containing digital forensic evidence. CC ID 08682 | Investigate | Detective | |
| Disconnect electronic media storage devices of systems containing digital forensic evidence. CC ID 08697 | Investigate | Detective | |
| Place evidence tape over devices containing digital forensic evidence. CC ID 08683 | Investigate | Detective | |
| Disseminate and communicate the incident response procedures to all interested personnel and affected parties. CC ID 01215 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the final incident report, which includes the investigation results and any remediation activity results. CC ID 12306 | Actionable Reports or Measurements | Preventive | |
| Test the incident response procedures. CC ID 01216 [{incident response plan} Test the plan at least annually. 12.10.2] | Testing | Detective | |
| Document the results of incident response tests and provide them to senior management. CC ID 14857 | Actionable Reports or Measurements | Preventive | |
| Establish, implement, and maintain a change control program. CC ID 00886 | Establish/Maintain Documentation | Preventive | |
| Separate the production environment from development environment or test environment for the change control process. CC ID 11864 [The change control processes must include Separate development/test environments from production environments, and enforce the separation with access controls. 6.4.1] | Maintenance | Preventive | |
| Establish, implement, and maintain a back-out plan. CC ID 13623 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373 [Change control procedures related to the implementation of security patches and software modifications must include Back-out procedures. 6.4.5.4] | Establish/Maintain Documentation | Preventive | |
| Manage change requests. CC ID 00887 | Business Processes | Preventive | |
| Include documentation of the impact level of proposed changes in the change request. CC ID 11942 [Change control procedures related to the implementation of security patches and software modifications must include Documentation of impact. 6.4.5.1] | Establish/Maintain Documentation | Preventive | |
| Approve tested change requests. CC ID 11783 [{approve} Change control procedures related to the implementation of security patches and software modifications must include Documented change approval by authorized parties. 6.4.5.2] | Data and Information Management | Preventive | |
| Validate the system before implementing approved changes. CC ID 01510 | Systems Design, Build, and Implementation | Preventive | |
| Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 | Behavior | Preventive | |
| Implement changes according to the change control program. CC ID 11776 [Follow change control processes and procedures for all changes to system components. The processes must include the following: 6.4] | Business Processes | Preventive | |
| Provide audit trails for all approved changes. CC ID 13120 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a patch management program. CC ID 00896 | Process or Activity | Preventive | |
| Deploy software patches in accordance with organizational standards. CC ID 07032 [Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release. 6.2] | Configuration | Corrective | |
| Test software patches for any potential compromise of the system's security. CC ID 13175 | Testing | Detective | |
| Patch software. CC ID 11825 | Technical Security | Corrective | |
| Patch the operating system, as necessary. CC ID 11824 | Technical Security | Corrective | |
| Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174 | Configuration | Corrective | |
| Remove outdated software after software has been updated. CC ID 11792 | Configuration | Corrective | |
| Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391 | Establish/Maintain Documentation | Detective | |
| Test the system's operational functionality after implementing approved changes. CC ID 06294 [Change control procedures related to the implementation of security patches and software modifications must include Functionality testing to verify that the change does not adversely impact the security of the system. 6.4.5.3] | Testing | Detective | |
Physical and environmental protection | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Physical and environmental protection CC ID 00709 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a physical security program. CC ID 11757 [{make known} Ensure that security policies and operational procedures for restricting physical access to cardholder data are documented, in use, and known to all affected parties. 9.10] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain physical security plans. CC ID 13307 | Establish/Maintain Documentation | Preventive | |
| Include a maintenance schedule for the physical security plan in the physical security plan. CC ID 13309 | Establish/Maintain Documentation | Preventive | |
| Document any reasons for modifying or refraining from modifying the physical security plan after it has been reviewed. CC ID 13315 | Establish/Maintain Documentation | Preventive | |
| Conduct external audits of the physical security plan. CC ID 13314 | Audits and Risk Management | Detective | |
| Establish, implement, and maintain physical security procedures. CC ID 13076 | Establish/Maintain Documentation | Preventive | |
| Analyze and evaluate engineering systems. CC ID 13080 | Physical and Environmental Protection | Preventive | |
| Analyze and evaluate facilities and their structural elements. CC ID 13079 | Physical and Environmental Protection | Preventive | |
| Analyze and evaluate mechanical systems, as necessary. CC ID 13078 | Physical and Environmental Protection | Preventive | |
| Report damaged property to interested personnel and affected parties. CC ID 13702 | Communicate | Corrective | |
| Establish, implement, and maintain an anti-tamper protection program. CC ID 10638 | Monitor and Evaluate Occurrences | Detective | |
| Disallow disabling tamper detection and response mechanisms, absent authorization. CC ID 12211 | Configuration | Preventive | |
| Prevent security mechanisms from being compromised by adverse physical conditions. CC ID 12215 | Configuration | Preventive | |
| Monitor for evidence of when tampering indicators are being identified. CC ID 11905 | Monitor and Evaluate Occurrences | Detective | |
| Inspect device surfaces to detect tampering. CC ID 11868 [Periodically inspect device surfaces to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device). 9.9.2] | Investigate | Detective | |
| Inspect device surfaces to detect unauthorized substitution. CC ID 11869 [Periodically inspect device surfaces to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device). 9.9.2] | Investigate | Detective | |
| Inspect for tampering, as necessary. CC ID 10640 | Monitor and Evaluate Occurrences | Detective | |
| Alert interested personnel and affected parties when evidence of tampering is discovered. CC ID 15319 | Communicate | Preventive | |
| Protect assets from tampering or unapproved substitution. CC ID 11902 [Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution. 9.9] | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain a facility physical security program. CC ID 00711 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain opening procedures for businesses. CC ID 16671 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain closing procedures for businesses. CC ID 16670 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050 | Establish/Maintain Documentation | Preventive | |
| Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311 | Behavior | Preventive | |
| Protect the facility from crime. CC ID 06347 | Physical and Environmental Protection | Preventive | |
| Define communication methods for reporting crimes. CC ID 06349 | Establish/Maintain Documentation | Preventive | |
| Include identification cards or badges in the physical security program. CC ID 14818 | Establish/Maintain Documentation | Preventive | |
| Protect facilities from eavesdropping. CC ID 02222 | Physical and Environmental Protection | Preventive | |
| Inspect telephones for eavesdropping devices. CC ID 02223 | Physical and Environmental Protection | Detective | |
| Implement audio protection controls on telephone systems in controlled areas. CC ID 16455 | Technical Security | Preventive | |
| Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581 | Establish/Maintain Documentation | Preventive | |
| Hold conferences requiring sensitive information discussions in spaces that have commensurate security. CC ID 11440 | Physical and Environmental Protection | Preventive | |
| Provide one-time meeting support for discussions involving Top Secret information. CC ID 11441 | Physical and Environmental Protection | Preventive | |
| Create security zones in facilities, as necessary. CC ID 16295 | Physical and Environmental Protection | Preventive | |
| Establish clear zones around any sensitive facilities. CC ID 02214 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain floor plans. CC ID 16419 | Establish/Maintain Documentation | Preventive | |
| Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420 | Establish/Maintain Documentation | Preventive | |
| Post floor plans of critical facilities in secure locations. CC ID 16138 | Communicate | Preventive | |
| Post and maintain security signage for all facilities. CC ID 02201 | Establish/Maintain Documentation | Preventive | |
| Inspect items brought into the facility. CC ID 06341 | Physical and Environmental Protection | Preventive | |
| Maintain all physical security systems. CC ID 02206 | Physical and Environmental Protection | Preventive | |
| Detect anomalies in physical barriers. CC ID 13533 | Investigate | Detective | |
| Maintain all security alarm systems. CC ID 11669 | Physical and Environmental Protection | Preventive | |
| Identify and document physical access controls for all physical entry points. CC ID 01637 | Establish/Maintain Documentation | Preventive | |
| Control physical access to (and within) the facility. CC ID 01329 [Control physical access for onsite personnel to sensitive areas as follows: - Access must be authorized and based on individual job function. - Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled. 9.3] | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain physical access procedures. CC ID 13629 | Establish/Maintain Documentation | Preventive | |
| Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419 | Physical and Environmental Protection | Preventive | |
| Secure physical entry points with physical access controls or security guards. CC ID 01640 | Physical and Environmental Protection | Detective | |
| Configure the access control system to grant access only during authorized working hours. CC ID 12325 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain a visitor access permission policy. CC ID 06699 [Implement procedures to identify and authorize visitors. 9.4] | Establish/Maintain Documentation | Preventive | |
| Escort visitors within the facility, as necessary. CC ID 06417 [Include in the visitor identification procedures Visitors are authorized before entering, and escorted at all times within, areas where cardholder data is processed or maintained. 9.4.1] | Establish/Maintain Documentation | Preventive | |
| Check the visitor's stated identity against a provided government issued identification. CC ID 06701 | Physical and Environmental Protection | Preventive | |
| Authorize visitors before granting entry to physical areas containing restricted data or restricted information. CC ID 01330 [Include in the visitor identification procedures Visitors are authorized before entering, and escorted at all times within, areas where cardholder data is processed or maintained. 9.4.1] | Testing | Preventive | |
| Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702 | Behavior | Preventive | |
| Establish, implement, and maintain procedures for changing a visitor's access requirements. CC ID 12048 | Establish/Maintain Documentation | Preventive | |
| Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436 | Establish/Maintain Documentation | Preventive | |
| Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463 [Develop procedures to easily distinguish between onsite personnel and visitors, to include: - Identifying onsite personnel and visitors (for example, assigning badges) - Changes to access requirements - Revoking or terminating onsite personnel and expired visitor identification (such as ID badges). 9.2] | Physical and Environmental Protection | Corrective | |
| Authorize physical access to sensitive areas based on job functions. CC ID 12462 [Control physical access for onsite personnel to sensitive areas as follows: - Access must be authorized and based on individual yle="background-color:#F0BBBC;" class="term_primary-noun">job function. - Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled. 9.3] | Establish/Maintain Documentation | Preventive | |
| Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain physical identification procedures. CC ID 00713 [Develop procedures to easily distinguish between onsite personnel and visitors, to include: - Identifying onsite personnel and visitors (for example, assigning badges) - Changes to access requirements - Revoking or terminating onsite personnel and expired visitor identification (such as ID badges). 9.2] | Establish/Maintain Documentation | Preventive | |
| Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030 | Human Resources Management | Preventive | |
| Implement physical identification processes. CC ID 13715 | Process or Activity | Preventive | |
| Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717 | Process or Activity | Preventive | |
| Issue photo identification badges to all employees. CC ID 12326 | Physical and Environmental Protection | Preventive | |
| Implement operational requirements for card readers. CC ID 02225 | Testing | Preventive | |
| Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819 | Establish/Maintain Documentation | Preventive | |
| Document all lost badges in a lost badge list. CC ID 12448 | Establish/Maintain Documentation | Corrective | |
| Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334 | Physical and Environmental Protection | Preventive | |
| Manage constituent identification inside the facility. CC ID 02215 | Behavior | Preventive | |
| Direct each employee to be responsible for their identification card or badge. CC ID 12332 | Human Resources Management | Preventive | |
| Manage visitor identification inside the facility. CC ID 11670 | Physical and Environmental Protection | Preventive | |
| Issue visitor identification badges to all non-employees. CC ID 00543 [Include in the visitor identification procedures Visitors are identified and given a badge or other identification that expires and that visibly distinguishes the visitors from onsite personnel. 9.4.2] | Behavior | Preventive | |
| Secure unissued visitor identification badges. CC ID 06712 | Physical and Environmental Protection | Preventive | |
| Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331 [Include in the visitor identification procedures Visitors are asked to surrender the badge or identification before leaving the facility or at the date of expiration. 9.4.3] | Behavior | Preventive | |
| Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain identification issuance procedures for identification cards or badges. CC ID 06598 [Develop procedures to easily distinguish between onsite personnel and visitors, to include: - Identifying onsite personnel and visitors (for example, assigning badges) - Changes to access requirements - Revoking or terminating onsite personnel and expired visitor identification (such as ID badges). 9.2] | Establish/Maintain Documentation | Preventive | |
| Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714 | Process or Activity | Preventive | |
| Include error handling controls in identification issuance procedures. CC ID 13709 | Establish/Maintain Documentation | Preventive | |
| Include an appeal process in the identification issuance procedures. CC ID 15428 | Business Processes | Preventive | |
| Include information security in the identification issuance procedures. CC ID 15425 | Establish/Maintain Documentation | Preventive | |
| Include identity proofing processes in the identification issuance procedures. CC ID 06597 | Process or Activity | Preventive | |
| Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426 | Establish/Maintain Documentation | Preventive | |
| Include an identity registration process in the identification issuance procedures. CC ID 11671 | Establish/Maintain Documentation | Preventive | |
| Restrict access to the badge system to authorized personnel. CC ID 12043 | Physical and Environmental Protection | Preventive | |
| Enforce dual control for badge assignments. CC ID 12328 | Physical and Environmental Protection | Preventive | |
| Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327 | Physical and Environmental Protection | Preventive | |
| Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain identification renewal procedures for identification cards or badges. CC ID 06599 | Establish/Maintain Documentation | Preventive | |
| Assign employees the responsibility for controlling their identification badges. CC ID 12333 | Human Resources Management | Preventive | |
| Establish, implement, and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain identification mechanism termination procedures. CC ID 06306 [Develop procedures to easily distinguish between onsite personnel and visitors, to include: - Identifying onsite personnel and visitors (for example, assigning badges) - Changes to access requirements - Revoking or terminating onsite personnel and expired visitor identification (such as ID badges). 9.2] | Establish/Maintain Documentation | Preventive | |
| Prevent tailgating through physical entry points. CC ID 06685 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain a door security standard. CC ID 06686 | Establish/Maintain Documentation | Preventive | |
| Install doors so that exposed hinges are on the secured side. CC ID 06687 | Configuration | Preventive | |
| Install emergency doors to permit egress only. CC ID 06688 | Configuration | Preventive | |
| Install contact alarms on doors, as necessary. CC ID 06710 | Configuration | Preventive | |
| Use locks to protect against unauthorized physical access. CC ID 06342 | Physical and Environmental Protection | Preventive | |
| Use locks with electronic authentication systems or cipher locks, as necessary. CC ID 06650 | Configuration | Preventive | |
| Test locks for physical security vulnerabilities. CC ID 04880 | Testing | Detective | |
| Secure unissued access mechanisms. CC ID 06713 | Technical Security | Preventive | |
| Establish, implement, and maintain a lock and access mechanism inventory (keys, lock combinations, or key cards) for all physical access control systems. CC ID 00748 | Establish/Maintain Documentation | Preventive | |
| Change cipher lock codes, as necessary. CC ID 06651 | Technical Security | Preventive | |
| Record the assigned access mechanism serial number or cipher lock code when issuing controlled items. CC ID 06715 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a window security standard. CC ID 06689 | Establish/Maintain Documentation | Preventive | |
| Install contact alarms on openable windows, as necessary. CC ID 06690 | Configuration | Preventive | |
| Install glass break alarms on windows, as necessary. CC ID 06691 | Configuration | Preventive | |
| Post signs at all physical entry points stating the organization's right to inspect upon entry. CC ID 02204 | Establish/Maintain Documentation | Preventive | |
| Install and maintain security lighting at all physical entry points. CC ID 02205 | Physical and Environmental Protection | Preventive | |
| Use vandal resistant light fixtures for all security lighting. CC ID 16130 | Physical and Environmental Protection | Preventive | |
| Manage access to loading docks, unloading docks, and mail rooms. CC ID 02210 | Physical and Environmental Protection | Preventive | |
| Secure the loading dock with physical access controls or security guards. CC ID 06703 | Physical and Environmental Protection | Preventive | |
| Isolate loading areas from information processing facilities, if possible. CC ID 12028 | Physical and Environmental Protection | Preventive | |
| Screen incoming mail and deliveries. CC ID 06719 | Physical and Environmental Protection | Preventive | |
| Protect access to the facility's mechanical systems area. CC ID 02212 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain elevator security guidelines. CC ID 02232 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain stairwell security guidelines. CC ID 02233 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain glass opening security guidelines. CC ID 02234 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain after hours facility access procedures. CC ID 06340 | Establish/Maintain Documentation | Preventive | |
| Establish a security room, if necessary. CC ID 00738 | Physical and Environmental Protection | Preventive | |
| Implement physical security standards for mainframe rooms or data centers. CC ID 00749 | Physical and Environmental Protection | Preventive | |
| Establish and maintain equipment security cages in a shared space environment. CC ID 06711 | Physical and Environmental Protection | Preventive | |
| Secure systems in lockable equipment cabinets, as necessary. CC ID 06716 | Physical and Environmental Protection | Preventive | |
| Lock all lockable equipment cabinets. CC ID 11673 | Physical and Environmental Protection | Detective | |
| Establish, implement, and maintain vault physical security standards. CC ID 02203 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain a guideline for working in a secure area. CC ID 04538 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain emergency re-entry procedures. CC ID 11672 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain emergency exit procedures. CC ID 01252 | Establish/Maintain Documentation | Preventive | |
| Establish, Implement, and maintain a camera operating policy. CC ID 15456 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461 | Communicate | Preventive | |
| Monitor for unauthorized physical access at physical entry points and physical exit points. CC ID 01638 [Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment. 9.1] | Monitor and Evaluate Occurrences | Detective | |
| Establish and maintain a visitor log. CC ID 00715 [A visitor log is used to maintain a physical audit trail of visitor activity to the facility as well as computer rooms and data centers where cardholder data is stored or transmitted. Document the visitor’s name, the firm represented, and the onsite personnel authorizing physical access on the log. Retain this log for a minimum of three months, unless otherwise restricted by law. 9.4.4] | Log Management | Preventive | |
| Require all visitors to sign in to the visitor log before the entrance of a visitor to the facility. CC ID 06700 | Establish/Maintain Documentation | Preventive | |
| Report anomalies in the visitor log to appropriate personnel. CC ID 14755 | Investigate | Detective | |
| Require all visitors to sign out of the visitor log before the exit of a visitor from the facility. CC ID 06649 | Behavior | Preventive | |
| Record the visitor's name in the visitor log. CC ID 00557 [A visitor log is used to maintain a physical audit trail of visitor activity to the facility as well as computer rooms and data centers where cardholder data is stored or transmitted. Document the visitor’s name, the firm represented, and the onsite personnel authorizing physical access on the log. Retain this log for a minimum of three months, unless otherwise restricted by law. 9.4.4] | Log Management | Preventive | |
| Record the visitor's organization in the visitor log. CC ID 12121 | Log Management | Preventive | |
| Record the visitor's acceptable access areas in the visitor log. CC ID 12237 | Log Management | Preventive | |
| Record the date and time of entry in the visitor log. CC ID 13255 | Establish/Maintain Documentation | Preventive | |
| Record the onsite personnel authorizing physical access for the visitor in the visitor log. CC ID 12466 | Establish/Maintain Documentation | Preventive | |
| Retain all records in the visitor log as prescribed by law. CC ID 00572 [A visitor log is used to maintain a physical audit trail of visitor activity to the facility as well as computer rooms and data centers where cardholder data is stored or transmitted. Document the visitor’s name, the firm represented, and the onsite personnel authorizing physical access on the log. Retain this log for a minimum of three months, unless otherwise restricted by law. 9.4.4] | Log Management | Preventive | |
| Establish, implement, and maintain a physical access log. CC ID 12080 | Establish/Maintain Documentation | Preventive | |
| Log the entrance of a staff member to a facility or designated rooms within the facility. CC ID 01641 | Log Management | Preventive | |
| Log when the vault is accessed. CC ID 06725 | Log Management | Detective | |
| Log when the cabinet is accessed. CC ID 11674 | Log Management | Detective | |
| Store facility access logs in off-site storage. CC ID 06958 | Log Management | Preventive | |
| Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675 | Monitor and Evaluate Occurrences | Preventive | |
| Observe restricted areas with motion detectors or closed-circuit television systems. CC ID 01328 [{video event} Use video cameras and/or access control mechanisms to monitor individual physical access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law. 9.1.1] | Monitor and Evaluate Occurrences | Detective | |
| Review and correlate all data collected from video cameras and/or access control mechanisms with other entries. CC ID 11609 [{video event} Use video cameras and/or access control mechanisms to monitor individual physical access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law. 9.1.1] | Monitor and Evaluate Occurrences | Detective | |
| Configure video cameras to cover all physical entry points. CC ID 06302 | Configuration | Preventive | |
| Configure video cameras to prevent physical tampering or disablement. CC ID 06303 | Configuration | Preventive | |
| Retain video events according to Records Management procedures. CC ID 06304 [{video event} Use video cameras and/or access control mechanisms to monitor individual physical access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law. 9.1.1] | Records Management | Preventive | |
| Monitor physical entry point alarms. CC ID 01639 | Physical and Environmental Protection | Detective | |
| Evaluate and react to when unauthorized access is detected by physical entry point alarms. CC ID 11677 | Monitor and Evaluate Occurrences | Detective | |
| Monitor for alarmed security doors being propped open. CC ID 06684 | Monitor and Evaluate Occurrences | Detective | |
| Establish, implement, and maintain physical security threat reports. CC ID 02207 | Establish/Maintain Documentation | Preventive | |
| Build and maintain fencing, as necessary. CC ID 02235 | Physical and Environmental Protection | Preventive | |
| Implement security measures for all interior spaces that allow for any payment transactions. CC ID 06352 | Physical and Environmental Protection | Preventive | |
| Physically segregate business areas in accordance with organizational standards. CC ID 16718 | Physical and Environmental Protection | Preventive | |
| Employ security guards to provide physical security, as necessary. CC ID 06653 | Establish Roles | Preventive | |
| Establish, implement, and maintain a facility wall standard. CC ID 06692 | Establish/Maintain Documentation | Preventive | |
| Design interior walls with sound absorbing materials as well as thermal resistant materials. CC ID 06372 | Physical and Environmental Protection | Preventive | |
| Design interior walls that provide security to extend from true floor to true ceiling. CC ID 06693 | Configuration | Preventive | |
| Refrain from search and seizure inside organizational facilities absent a warrant. CC ID 09980 | Behavior | Preventive | |
| Disallow either search or seizure of any person inside organizational facilities absent a warrant. CC ID 09981 | Behavior | Preventive | |
| Disallow copying or excerpting from documents, books, or records that are on or in the premises of an organizational facility absent a warrant. CC ID 09982 | Business Processes | Preventive | |
| Disallow inspecting computers or searching computer records inside organizational facilities absent a warrant. CC ID 09983 | Behavior | Preventive | |
| Do nothing to help during a search and seizure inside organizational facilities absent a warrant and being legally compelled to assist. CC ID 09984 | Behavior | Preventive | |
| Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 | Physical and Environmental Protection | Preventive | |
| Control the transiting and internal distribution or external distribution of assets. CC ID 00963 [{internal distribution} Maintain strict control over the internal or external distribution of any kind of media, including the following: 9.6] | Records Management | Preventive | |
| Log the transiting, internal distribution, and external distribution of restricted storage media. CC ID 12321 | Log Management | Preventive | |
| Encrypt digital media containing sensitive information during transport outside controlled areas. CC ID 14258 | Technical Security | Preventive | |
| Obtain management authorization for restricted storage media transit or distribution from a controlled access area. CC ID 00964 [Ensure management approves any and all media that is moved from a secured area (including when media is distributed to individuals). 9.6.3] | Records Management | Preventive | |
| Use locked containers to transport non-digital media outside of controlled areas. CC ID 14286 | Physical and Environmental Protection | Preventive | |
| Transport restricted media using a delivery method that can be tracked. CC ID 11777 [Send the media by secured courier or other delivery method that can be accurately tracked. 9.6.2] | Business Processes | Preventive | |
| Track restricted storage media while it is in transit. CC ID 00967 | Data and Information Management | Detective | |
| Restrict physical access to distributed assets. CC ID 11865 [{networking hardware} Restrict physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines. 9.1.3 {physical control} Implement physical and/or logical controls to restrict access to publicly accessible network jacks. 9.1.2] | Physical and Environmental Protection | Preventive | |
| House network hardware in lockable rooms or lockable equipment cabinets. CC ID 01873 | Physical and Environmental Protection | Preventive | |
| Protect electronic storage media with physical access controls. CC ID 00720 [Restrict physical access to cardholder data Requirement 9] | Physical and Environmental Protection | Preventive | |
| Protect physical assets with earthquake-resistant mechanisms. CC ID 06360 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain a media protection policy. CC ID 14029 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the media protection policy. CC ID 14185 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the media protection policy. CC ID 14184 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the media protection policy. CC ID 14182 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the media protection policy. CC ID 14180 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the media protection policy. CC ID 14167 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the media protection policy. CC ID 14166 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the media protection policy to interested personnel and affected parties. CC ID 14165 | Communicate | Preventive | |
| Establish, implement, and maintain media protection procedures. CC ID 14062 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the media protection procedures to interested personnel and affected parties. CC ID 14186 | Communicate | Preventive | |
| Establish, implement, and maintain removable storage media controls. CC ID 06680 | Data and Information Management | Preventive | |
| Control access to restricted storage media. CC ID 04889 [Maintain strict control over the storage and accessibility of media. 9.7 {file-level encryption} {authentication mechanism} If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed separately and independently of native operating system authentication and access control mechanisms (for example, by not using local user account databases or general network login credentials). Decryption keys must not be associated with user accounts. 3.4.1] | Data and Information Management | Preventive | |
| Physically secure all electronic storage media that store restricted data or restricted information. CC ID 11664 [Protect stored cardholder data. Requirement 3 Physically secure all media. 9.5] | Physical and Environmental Protection | Preventive | |
| Separate duplicate originals and backup media from the original electronic storage media. CC ID 00961 | Records Management | Preventive | |
| Treat archive media as evidence. CC ID 00960 | Records Management | Preventive | |
| Log the transfer of removable storage media. CC ID 12322 | Log Management | Preventive | |
| Establish, implement, and maintain storage media access control procedures. CC ID 00959 | Establish/Maintain Documentation | Preventive | |
| Require removable storage media be in the custody of an authorized individual. CC ID 12319 | Behavior | Preventive | |
| Control the storage of restricted storage media. CC ID 00965 [Maintain strict control over the storage and accessibility of media. 9.7] | Records Management | Preventive | |
| Store removable storage media containing restricted data or restricted information using electronic media storage cabinets or electronic media storage vaults. CC ID 00717 | Physical and Environmental Protection | Preventive | |
| Protect the combinations for all combination locks. CC ID 02199 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain electronic media storage container repair guidelines. CC ID 02200 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain eavesdropping protection for vaults. CC ID 02231 | Physical and Environmental Protection | Preventive | |
| Serialize all removable storage media. CC ID 00949 | Configuration | Preventive | |
| Protect distributed assets against theft. CC ID 06799 | Physical and Environmental Protection | Preventive | |
| Include Information Technology assets in the asset removal policy. CC ID 13162 | Establish/Maintain Documentation | Preventive | |
| Specify the assets to be returned or removed in the asset removal policy. CC ID 13163 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the asset removal policy to interested personnel and affected parties. CC ID 13160 | Communicate | Preventive | |
| Establish, implement, and maintain asset removal procedures or asset decommissioning procedures. CC ID 04540 | Establish/Maintain Documentation | Preventive | |
| Prohibit assets from being taken off-site absent prior authorization. CC ID 12027 | Process or Activity | Preventive | |
| Control the delivery of assets through physical entry points and physical exit points. CC ID 01441 | Physical and Environmental Protection | Preventive | |
| Control the removal of assets through physical entry points and physical exit points. CC ID 11681 | Physical and Environmental Protection | Preventive | |
| Maintain records of all system components entering and exiting the facility. CC ID 14304 | Log Management | Preventive | |
| Establish, implement, and maintain on-site logical controls for all distributed assets. CC ID 11682 | Technical Security | Preventive | |
| Establish, implement, and maintain off-site logical controls for all distributed assets. CC ID 11683 | Technical Security | Preventive | |
| Establish, implement, and maintain on-site physical controls for all distributed assets. CC ID 04820 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain off-site physical controls for all distributed assets. CC ID 04539 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain missing asset reporting procedures. CC ID 06336 | Establish/Maintain Documentation | Preventive | |
| Attach asset location technologies to distributed assets. CC ID 10626 | Physical and Environmental Protection | Detective | |
| Employ asset location technologies in accordance with applicable laws and regulations. CC ID 10627 | Physical and Environmental Protection | Preventive | |
| Monitor the location of distributed assets. CC ID 11684 | Monitor and Evaluate Occurrences | Detective | |
| Remote lock any distributed assets reported lost or stolen. CC ID 14008 | Technical Security | Corrective | |
| Remote wipe any distributed asset reported lost or stolen. CC ID 12197 | Process or Activity | Corrective | |
| Unpair missing Bluetooth devices. CC ID 12428 | Physical and Environmental Protection | Corrective | |
| Establish, implement, and maintain end user computing device security guidelines. CC ID 00719 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a locking screen saver policy. CC ID 06717 | Establish/Maintain Documentation | Preventive | |
| Encrypt information stored on devices in publicly accessible areas. CC ID 16410 | Data and Information Management | Preventive | |
| Secure workstations to desks with security cables. CC ID 04724 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain a mobile device management program. CC ID 15212 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a mobile device management policy. CC ID 15214 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain mobile device emergency sanitization procedures. CC ID 16454 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain mobile device security guidelines. CC ID 04723 | Establish/Maintain Documentation | Preventive | |
| Require users to refrain from leaving mobile devices unattended. CC ID 16446 | Business Processes | Preventive | |
| Wipe information from mobile devices after a predetermined number of unsuccessful logon attempts. CC ID 14242 | Data and Information Management | Preventive | |
| Include the expectation of data loss in the event of sanitizing the mobile device in the mobile device security guidelines. CC ID 12292 | Establish/Maintain Documentation | Preventive | |
| Include legal requirements in the mobile device security guidelines. CC ID 12291 | Establish/Maintain Documentation | Preventive | |
| Include the use of privacy filters in the mobile device security guidelines. CC ID 16452 | Physical and Environmental Protection | Preventive | |
| Include prohibiting the usage of unapproved application stores in the mobile device security guidelines. CC ID 12290 | Establish/Maintain Documentation | Preventive | |
| Include requiring users to create data backups in the mobile device security guidelines. CC ID 12289 | Establish/Maintain Documentation | Preventive | |
| Include the definition of mobile devices in the mobile device security guidelines. CC ID 12288 | Establish/Maintain Documentation | Preventive | |
| Refrain from responding to unsolicited Personal Identification Number requests. CC ID 12430 | Physical and Environmental Protection | Preventive | |
| Refrain from pairing Bluetooth devices in unsecured areas. CC ID 12429 | Physical and Environmental Protection | Preventive | |
| Encrypt information stored on mobile devices. CC ID 01422 | Data and Information Management | Preventive | |
| Remove dormant systems from the network, as necessary. CC ID 13727 | Process or Activity | Corrective | |
| Separate systems that transmit, process, or store restricted data from those that do not by deploying physical access controls. CC ID 00722 | Physical and Environmental Protection | Preventive | |
| Secure system components from unauthorized viewing. CC ID 01437 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain asset return procedures. CC ID 04537 | Establish/Maintain Documentation | Preventive | |
| Request the return of all appropriate assets upon notification of a personnel status change. CC ID 06678 | Behavior | Preventive | |
| Require the return of all assets upon notification an individual is terminated. CC ID 06679 [Control physical access for onsite personnel to sensitive areas as follows: - Access must be authorized and based on individual job function. - Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled. 9.3] | Behavior | Preventive | |
| Prohibit the use of recording devices near restricted data or restricted information, absent authorization. CC ID 04598 | Behavior | Preventive | |
| Prohibit usage of cell phones near restricted data or restricted information, absent authorization. CC ID 06354 | Behavior | Preventive | |
| Prohibit mobile device usage near restricted data or restricted information, absent authorization. CC ID 04597 | Behavior | Preventive | |
| Prohibit wireless technology usage near restricted data or restricted information, absent authorization. CC ID 08706 | Configuration | Preventive | |
| Inspect mobile devices for the storage of restricted data or restricted information. CC ID 08707 | Investigate | Detective | |
| Log an incident if unauthorized restricted data or unauthorized restricted information is discovered on a mobile device. CC ID 08708 | Monitor and Evaluate Occurrences | Corrective | |
| Establish, implement, and maintain open storage container procedures. CC ID 02198 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a clean desk policy. CC ID 06534 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a clear screen policy. CC ID 12436 | Technical Security | Preventive | |
| Establish, implement, and maintain contact card reader security guidelines. CC ID 06588 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain contactless card reader security guidelines. CC ID 06589 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Personal Identification Number input device security guidelines. CC ID 06590 | Establish/Maintain Documentation | Preventive | |
| Identify customer property within the organizational facility. CC ID 06612 | Physical and Environmental Protection | Preventive | |
| Protect customer property under the care of the organization. CC ID 11685 | Physical and Environmental Protection | Preventive | |
| Prohibit the unauthorized remote activation of collaborative computing devices. CC ID 06768 | Technical Security | Preventive | |
| Provide a physical disconnect of collaborative computing devices in a way that supports ease of use. CC ID 06769 | Configuration | Preventive | |
| Indicate the active use of collaborative computing devices to users physically present at the device. CC ID 10647 | Technical Security | Preventive | |
| Provide storage media shelving capable of bearing all potential loads. CC ID 11400 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain proper aircraft security. CC ID 02213 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain a vehicle access program. CC ID 02216 | Establish/Maintain Documentation | Preventive | |
| Establish parking requirements for vehicles. CC ID 02218 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain proper container security. CC ID 02208 | Physical and Environmental Protection | Preventive | |
| Inspect the physical integrity of all containers before loading the containers. CC ID 02209 | Physical and Environmental Protection | Detective | |
| Lock closable storage containers. CC ID 06307 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain returned card procedures. CC ID 13567 | Establish/Maintain Documentation | Preventive | |
| Refrain from distributing returned cards to staff with the responsibility for payment card issuance. CC ID 13572 | Business Processes | Preventive | |
| Establish and maintain the physical security of non-issued payment cards. CC ID 06402 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain payment card disposal procedures. CC ID 16137 | Establish/Maintain Documentation | Preventive | |
| Control the issuance of payment cards. CC ID 06403 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain a mailing control log. CC ID 16136 | Establish/Maintain Documentation | Preventive | |
| Assign roles and responsibilities for the issuance of payment cards. CC ID 16134 | Establish Roles | Preventive | |
| Inventory payment cards, as necessary. CC ID 13547 | Records Management | Preventive | |
| Store non-issued payment cards in a lockable cabinet or safe. CC ID 06404 | Physical and Environmental Protection | Preventive | |
| Deliver payment cards to customers using secure methods. CC ID 06405 | Physical and Environmental Protection | Preventive | |
| Activate payment cards sent to customers upon receiving instructions to activate the payment card. CC ID 13052 | Business Processes | Preventive | |
| Establish, implement, and maintain payment card usage security measures. CC ID 06406 | Establish/Maintain Documentation | Preventive | |
| Notify customers about payment card usage security measures. CC ID 06407 | Behavior | Preventive | |
| Establish, implement, and maintain payment card disposal procedures. CC ID 16135 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain physical security of assets used for publicity. CC ID 06724 | Physical and Environmental Protection | Preventive | |
| Install and protect network cabling. CC ID 08624 | Physical and Environmental Protection | Preventive | |
| Control physical access to network cables. CC ID 00723 | Process or Activity | Preventive | |
| Install and protect fiber optic cable, as necessary. CC ID 08625 | Physical and Environmental Protection | Preventive | |
| Restrict fiber optic cables to carry only specific security classification traffic. CC ID 08628 | Physical and Environmental Protection | Preventive | |
| Restrict the length of fiber optic flying leads to 5 meters. CC ID 08639 | Physical and Environmental Protection | Detective | |
| Label fiber optic flying leads according to security classification of data being carried over the fiber optic cables. CC ID 08640 | Physical and Environmental Protection | Preventive | |
| Install network cable in a way that allows ease of inspecting. CC ID 08626 | Physical and Environmental Protection | Preventive | |
| Inspect network cabling at distances determined by security classification. CC ID 08644 | Physical and Environmental Protection | Detective | |
| Bundle network cables together at each inspection point by security classification of data being carried over that cable. CC ID 08649 | Physical and Environmental Protection | Preventive | |
| Establish and maintain security classifications for network cabling. CC ID 08627 | Establish/Maintain Documentation | Preventive | |
| Label conduit according to security classification of data being carried over the network cable inside the conduit. CC ID 08630 | Physical and Environmental Protection | Preventive | |
| Label each end of a network cable run. CC ID 08632 | Physical and Environmental Protection | Preventive | |
| Terminate approved network cables on the patch panel. CC ID 08633 | Physical and Environmental Protection | Preventive | |
| Color code cables in accordance with organizational standards. CC ID 16422 | Physical and Environmental Protection | Preventive | |
| Establish and maintain documentation for network cabling schemes. CC ID 08641 | Establish/Maintain Documentation | Preventive | |
| Prevent installing network cabling inside walls shared with third parties. CC ID 08648 | Physical and Environmental Protection | Preventive | |
| Install network cabling specifically for maintenance purposes. CC ID 10613 | Physical and Environmental Protection | Preventive | |
| Install and maintain network jacks and outlet boxes. CC ID 08635 | Physical and Environmental Protection | Preventive | |
| Color code outlet boxes in accordance with organizational standards. CC ID 16451 | Physical and Environmental Protection | Preventive | |
| Maintain wiring circuits and outlets that are separate from the computer room. CC ID 16142 | Physical and Environmental Protection | Preventive | |
| Implement physical controls to restrict access to publicly accessible network jacks. CC ID 11989 | Physical and Environmental Protection | Preventive | |
| Label network cabling outlet boxes. CC ID 08631 | Physical and Environmental Protection | Preventive | |
| Enable network jacks at the patch panel, as necessary. CC ID 06305 | Configuration | Preventive | |
| Implement logical controls to enable network jacks, as necessary. CC ID 11934 [{physical control} Implement physical and/or logical controls to restrict access to publicly accessible network jacks. 9.1.2] | Physical and Environmental Protection | Preventive | |
| Identify network jacks by security classification according to security classification of data being carried over the cable. CC ID 08634 | Physical and Environmental Protection | Preventive | |
| Identify network cable faceplates by security classification according to security classification of data being carried over the cable. CC ID 08643 | Physical and Environmental Protection | Preventive | |
| Install and maintain network patch panels. CC ID 08636 | Physical and Environmental Protection | Preventive | |
| Separate network patch panels in different network cabinets according to security classification of data being carried over the cables. CC ID 08637 | Physical and Environmental Protection | Preventive | |
| Assign access to network patch panels on a need to know basis. CC ID 08638 | Physical and Environmental Protection | Preventive | |
| Encase network cabling in conduit or closed cable reticulation systems, as necessary. CC ID 08647 | Physical and Environmental Protection | Preventive | |
| Install conduit on walls connecting to network cable outlet boxes, as necessary. CC ID 08646 | Physical and Environmental Protection | Preventive | |
| Seal data conduit couplings and data conduit fitting bodies. CC ID 08629 | Physical and Environmental Protection | Preventive | |
| Install cable reticulation systems as close to the network cabinets as possible. CC ID 08642 | Physical and Environmental Protection | Preventive | |
| Partition cable bundles in cable reticulation systems by security classification of data being carried over the network cable. CC ID 08645 | Physical and Environmental Protection | Preventive | |
Privacy protection for information and data | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Privacy protection for information and data CC ID 00008 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 | Establish/Maintain Documentation | Preventive | |
| Display or print the least amount of personal data necessary. CC ID 04643 [Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see the full PAN. 3.3] | Data and Information Management | Preventive | |
| Redact confidential information from public information, as necessary. CC ID 06872 | Data and Information Management | Preventive | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 | Establish/Maintain Documentation | Preventive | |
| Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 [{primary account number} Never send unprotected PANs by end-user messaging technologies (for example, e-mail, instant messaging, SMS, chat, etc.). 4.2] | Data and Information Management | Preventive | |
| Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 | Data and Information Management | Preventive | |
| Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 [Do not store the full contents of any track (from the magnetic stripe located on the back of a card, equivalent data contained on a chip, or elsewhere) after authorization. This data is alternatively called full track, track, track 1, track 2, and magnetic-stripe data. 3.2.1] | Testing | Detective | |
| Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 [Do not store the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card used to verify card-not-present transactions) after authorization. 3.2.2 Do not store sensitive authentication data after authorization (even if encrypted). If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process. 3.2 Do not store the personal identification number (PIN) or the encrypted PIN block after authorization. 3.2.3] | Configuration | Preventive | |
| Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 [Do not store sensitive authentication data after authorization (even if encrypted). If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process. 3.2] | Technical Security | Preventive | |
| Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 [Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: - One-way hashes based on strong cryptography, (hash must be of the entire PAN) - Truncation (hashing cannot be used to replace the truncated segment of PAN) - Index tokens and pads (pads must be securely stored) - Strong cryptography with associated key-management processes and procedures. 3.4] | Technical Security | Preventive | |
Records management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Records management CC ID 00902 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain records management policies. CC ID 00903 | Establish/Maintain Documentation | Preventive | |
| Define each system's preservation requirements for records and logs. CC ID 00904 | Establish/Maintain Documentation | Detective | |
| Determine how long to keep records and logs before disposing them. CC ID 11661 [{legal requirement} {regulatory requirement} Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes that include at least the following for all cardholder data (CHD) storage: - Limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements - Specific retention requirements for cardholder data - Processes for secure deletion of data when no longer needed - A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention. 3.1 {legal requirement} {regulatory requirement} Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes that include at least the following for all cardholder data (CHD) storage: - Limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements - Specific retention requirements for cardholder data - Processes for secure deletion of data when no longer needed - A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention. 3.1] | Process or Activity | Preventive | |
| Retain records in accordance with applicable requirements. CC ID 00968 [Ensure that all anti-virus mechanisms are maintained as follows: - Are kept current, - Perform periodic scans - Generate audit logs which are retained per PCI DSS Requirement 10.7. 5.2] | Records Management | Preventive | |
| Establish, implement, and maintain storage media disposition and destruction procedures. CC ID 11657 | Establish/Maintain Documentation | Preventive | |
| Destroy electronic storage media following the storage media disposition and destruction procedures. CC ID 00970 [Destroy media when it is no longer needed for business or legal reasons as follows: 9.8 Render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed. 9.8.2] | Testing | Detective | |
| Manage waste materials in accordance with the storage media disposition and destruction procedures. CC ID 16485 | Process or Activity | Preventive | |
| Maintain media sanitization equipment in operational condition. CC ID 00721 | Testing | Detective | |
| Use approved media sanitization equipment for destruction. CC ID 16459 | Business Processes | Preventive | |
| Define each system's disposition requirements for records and logs. CC ID 11651 | Process or Activity | Preventive | |
| Establish, implement, and maintain records disposition procedures. CC ID 00971 | Establish/Maintain Documentation | Preventive | |
| Manage the disposition status for all records. CC ID 00972 [{legal requirement} {regulatory requirement} Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes that include at least the following for all cardholder data (CHD) storage: - Limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements - Specific retention requirements for cardholder data - Processes for secure deletion of data when no longer needed - A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention. 3.1] | Records Management | Preventive | |
| Use a second person to confirm and sign-off that manually deleted data was deleted. CC ID 12313 | Data and Information Management | Preventive | |
| Remove and/or destroy records according to the records' retention event and retention period schedule. CC ID 06621 | Records Management | Preventive | |
| Place printed records awaiting destruction into secure containers. CC ID 12464 [Shred, incinerate, or pulp hard-copy materials so that cardholder data cannot be reconstructed. Secure storage containers used for materials that are to be m_secondary-verb">destroyed. 9.8.1] | Physical and Environmental Protection | Preventive | |
| Destroy printed records so they cannot be reconstructed. CC ID 11779 [Shred, incinerate, or pulp hard-copy materials so that cardholder data cannot be reconstructed. Secure storage containers used for materials that are to be destroyed. 9.8.1] | Physical and Environmental Protection | Preventive | |
| Include methods to identify records that meet or exceed the record's retention event in the records disposition procedures. CC ID 11962 [{legal requirement} {regulatory requirement} Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes that include at least the following for all cardholder data (CHD) storage: - Limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements - Specific retention requirements for cardholder data - Processes for secure deletion of data when no longer needed - A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention. 3.1] | Establish/Maintain Documentation | Preventive | |
System hardening through configuration management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| System hardening through configuration management CC ID 00860 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a Configuration Management program. CC ID 00867 [{make known} Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties. 2.5 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. 2.2] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain configuration control and Configuration Status Accounting. CC ID 00863 | Business Processes | Preventive | |
| Establish, implement, and maintain appropriate system labeling. CC ID 01900 | Establish/Maintain Documentation | Preventive | |
| Include the identification number of the third party who performed the conformity assessment procedures on all promotional materials. CC ID 15041 | Establish/Maintain Documentation | Preventive | |
| Include the identification number of the third party who conducted the conformity assessment procedures after the CE marking of conformity. CC ID 15040 | Establish/Maintain Documentation | Preventive | |
| Verify configuration files requiring passwords for automation do not contain those passwords after the installation process is complete. CC ID 06555 | Configuration | Preventive | |
| Establish, implement, and maintain a configuration management policy. CC ID 14023 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain configuration management procedures. CC ID 14074 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the configuration management procedures to interested personnel and affected parties. CC ID 14139 | Communicate | Preventive | |
| Include compliance requirements in the configuration management policy. CC ID 14072 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the configuration management policy. CC ID 14071 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the configuration management policy. CC ID 14070 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the configuration management policy. CC ID 14069 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the configuration management policy. CC ID 14068 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the configuration management policy. CC ID 14067 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the configuration management policy to interested personnel and affected parties. CC ID 14066 | Communicate | Preventive | |
| Establish, implement, and maintain a configuration management plan. CC ID 01901 | Establish/Maintain Documentation | Preventive | |
| Include configuration management procedures in the configuration management plan. CC ID 14248 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the configuration management plan. CC ID 14247 | Establish/Maintain Documentation | Preventive | |
| Approve the configuration management plan. CC ID 14717 | Business Processes | Preventive | |
| Establish, implement, and maintain system tracking documentation. CC ID 15266 | Establish/Maintain Documentation | Preventive | |
| Include prioritization codes in the system tracking documentation. CC ID 15283 | Establish/Maintain Documentation | Preventive | |
| Include the type and category of the request in the system tracking documentation. CC ID 15281 | Establish/Maintain Documentation | Preventive | |
| Include contact information in the system tracking documentation. CC ID 15280 | Establish/Maintain Documentation | Preventive | |
| Include the username in the system tracking documentation. CC ID 15278 | Establish/Maintain Documentation | Preventive | |
| Include a problem description in the system tracking documentation. CC ID 15276 | Establish/Maintain Documentation | Preventive | |
| Include affected systems in the system tracking documentation. CC ID 15275 | Establish/Maintain Documentation | Preventive | |
| Include root causes in the system tracking documentation. CC ID 15274 | Establish/Maintain Documentation | Preventive | |
| Include the name of who is responsible for resolution in the system tracking documentation. CC ID 15273 | Establish/Maintain Documentation | Preventive | |
| Include current status in the system tracking documentation. CC ID 15272 | Establish/Maintain Documentation | Preventive | |
| Employ the Configuration Management program. CC ID 11904 [{make known} Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties. 2.5] | Configuration | Preventive | |
| Record Configuration Management items in the Configuration Management database. CC ID 00861 | Establish/Maintain Documentation | Preventive | |
| Test network access controls for proper Configuration Management settings. CC ID 01281 | Testing | Detective | |
| Disseminate and communicate the configuration management program to all interested personnel and affected parties. CC ID 11946 [{make known} Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties. 2.5] | Communicate | Preventive | |
| Establish, implement, and maintain a Configuration Management Database with accessible reporting capabilities. CC ID 02132 | Establish/Maintain Documentation | Preventive | |
| Document external connections for all systems. CC ID 06415 | Configuration | Preventive | |
| Establish, implement, and maintain a configuration baseline based on the least functionality principle. CC ID 00862 | Establish/Maintain Documentation | Preventive | |
| Include the measures used to account for any differences in operation between the test environments and production environments in the baseline configuration. CC ID 13285 | Establish/Maintain Documentation | Preventive | |
| Include the differences between test environments and production environments in the baseline configuration. CC ID 13284 | Establish/Maintain Documentation | Preventive | |
| Include the applied security patches in the baseline configuration. CC ID 13271 | Establish/Maintain Documentation | Preventive | |
| Include the installed application software and version numbers in the baseline configuration. CC ID 13270 | Establish/Maintain Documentation | Preventive | |
| Include installed custom software in the baseline configuration. CC ID 13274 | Establish/Maintain Documentation | Preventive | |
| Include network ports in the baseline configuration. CC ID 13273 | Establish/Maintain Documentation | Preventive | |
| Include the operating systems and version numbers in the baseline configuration. CC ID 13269 | Establish/Maintain Documentation | Preventive | |
| Include backup procedures in the Configuration Management policy. CC ID 01314 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a system hardening standard. CC ID 00876 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain configuration standards for all systems based upon industry best practices. CC ID 11953 [Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. 2.2] | Configuration | Preventive | |
| Include common security parameter settings in the configuration standards for all systems. CC ID 12544 | Establish/Maintain Documentation | Preventive | |
| Apply configuration standards to all systems, as necessary. CC ID 12503 | Configuration | Preventive | |
| Document and justify system hardening standard exceptions. CC ID 06845 | Configuration | Preventive | |
| Configure security parameter settings on all system components appropriately. CC ID 12041 | Technical Security | Preventive | |
| Provide documentation verifying devices are not susceptible to known exploits. CC ID 11987 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain system hardening procedures. CC ID 12001 | Establish/Maintain Documentation | Preventive | |
| Configure session timeout and reauthentication settings according to organizational standards. CC ID 12460 [If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or erb">style="background-color:#F0BBBC;" class="term_primary-noun">session. 8.1.8] | Technical Security | Preventive | |
| Configure automatic logoff to terminate the sessions based on inactivity according to organizational standards. CC ID 04490 | Configuration | Preventive | |
| Display an explicit logout message when disconnecting an authenticated communications session. CC ID 10093 | Configuration | Preventive | |
| Invalidate session identifiers upon session termination. CC ID 10649 | Technical Security | Preventive | |
| Change default configurations, as necessary. CC ID 00877 [Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network. 2.1 For wireless environments connected to the cardholder data environment or transmitting cardholder data, change ALL wireless vendor defaults at installation, including but not limited to default wireless encryption keys, passwords, and SNMP community strings. 2.1.1] | Configuration | Preventive | |
| Configure custom security parameters for X-Windows. CC ID 02168 | Configuration | Preventive | |
| Configure custom security settings for Lotus Domino. CC ID 02171 | Configuration | Preventive | |
| Configure custom security settings for the Automated Security Enhancement Tool. CC ID 02177 | Configuration | Preventive | |
| Configure custom Security settings for Sun Answerbook2. CC ID 02178 | Configuration | Preventive | |
| Configure custom security settings for Command (PROM) Monitor. CC ID 02180 | Configuration | Preventive | |
| Configure and secure each interface for Executive Interfaces. CC ID 02182 | Configuration | Preventive | |
| Reconfigure the default settings and configure the system security for Site Management Complex. CC ID 02183 | Configuration | Preventive | |
| Configure the unisys executive (GENNED) GEN tags. CC ID 02184 | Configuration | Preventive | |
| Reconfigure the default Console Mode privileges. CC ID 02189 | Configuration | Preventive | |
| Restrict access to security-related Console Mode key-in groups based on the security profiles. CC ID 02190 | Configuration | Preventive | |
| Configure security profiles for the various Console Mode levels. CC ID 02191 | Configuration | Preventive | |
| Configure custom access privileges for all mapper files. CC ID 02194 | Configuration | Preventive | |
| Configure custom access privileges for the PSERVER configuration file. CC ID 02195 | Configuration | Preventive | |
| Configure custom access privileges for the DEPCON configuration file. CC ID 02196 | Configuration | Preventive | |
| Disable the default NetWare user web page unless absolutely necessary. CC ID 04447 | Configuration | Preventive | |
| Enable and reset the primary administrator names, primary administrator passwords, root names, and root passwords. CC ID 04448 | Configuration | Preventive | |
| Remove unnecessary documentation or unprotected documentation from installed applications. CC ID 04452 | Configuration | Preventive | |
| Complete the NetWare eGuide configuration. CC ID 04449 | Configuration | Preventive | |
| Verify the usr/aset/masters/uid_aliases file exists and contains an appropriate aliases list. CC ID 04902 | Configuration | Preventive | |
| Set the low security directory list properly. CC ID 04903 | Configuration | Preventive | |
| Set the medium security directory list properly. CC ID 04904 | Configuration | Preventive | |
| Set the high security directory list properly. CC ID 04905 | Configuration | Preventive | |
| Set the UID aliases pointer properly. CC ID 04906 | Configuration | Preventive | |
| Verify users are listed in the ASET userlist file. CC ID 04907 | Technical Security | Preventive | |
| Verify Automated Security Enhancement Tool checks the NIS+ tables, as appropriate. CC ID 04908 | Testing | Preventive | |
| Reconfigure the encryption keys from their default setting or previous setting. CC ID 06079 [For wireless environments connected to the cardholder data environment or transmitting cardholder data, change ALL wireless vendor defaults at installation, including but not limited to default wireless encryption keys, passwords, and SNMP community strings. 2.1.1] | Configuration | Preventive | |
| Change the default Service Set Identifier for Wireless Access Points and wireless bridges. CC ID 06086 | Configuration | Preventive | |
| Revoke public execute privileges for all processes or applications that allow such privileges. CC ID 06568 | Configuration | Preventive | |
| Configure the system's booting configuration. CC ID 10656 | Configuration | Preventive | |
| Configure the system to boot directly to the correct Operating System. CC ID 04509 | Configuration | Preventive | |
| Verify an appropriate bootloader is used. CC ID 04900 | Configuration | Preventive | |
| Configure the ability to boot from USB devices, as appropriate. CC ID 04901 | Configuration | Preventive | |
| Configure the system to boot from hardware enforced read-only media. CC ID 10657 | Configuration | Preventive | |
| Configure Simple Network Management Protocol (SNMP) to organizational standards. CC ID 12423 | Configuration | Preventive | |
| Change the community string for Simple Network Management Protocol, as necessary. CC ID 01872 [For wireless environments connected to the cardholder data environment or transmitting cardholder data, change ALL wireless vendor defaults at installation, including but not limited to default wireless encryption keys, passwords, and SNMP community strings. 2.1.1] | Configuration | Preventive | |
| Configure the system's storage media. CC ID 10618 | Configuration | Preventive | |
| Configure the system's electronic storage media's encryption settings. CC ID 11927 [Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components. 8.2.1] | Configuration | Preventive | |
| Implement only one application or primary function per network component or server. CC ID 00879 [Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. 2.2.1] | Systems Design, Build, and Implementation | Preventive | |
| Remove all unnecessary functionality. CC ID 00882 [Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers. 2.2.5] | Configuration | Preventive | |
| Document that all enabled functions support secure configurations. CC ID 11985 | Establish/Maintain Documentation | Preventive | |
| Find and eradicate unauthorized world writable files. CC ID 01541 | Configuration | Preventive | |
| Strip dangerous/unneeded SUID/SGID system executables. CC ID 01542 | Configuration | Preventive | |
| Find and eradicate unauthorized SUID/SGID system executables. CC ID 01543 | Configuration | Preventive | |
| Find and eradicate unowned files and unowned directories. CC ID 01544 | Configuration | Preventive | |
| Disable logon prompts on serial ports. CC ID 01553 | Configuration | Preventive | |
| Disable "nobody" access for Secure RPC. CC ID 01554 | Configuration | Preventive | |
| Disable all unnecessary interfaces. CC ID 04826 | Configuration | Preventive | |
| Enable or disable all unused USB ports as appropriate. CC ID 06042 | Configuration | Preventive | |
| Disable all user-mounted removable file systems. CC ID 01536 | Configuration | Preventive | |
| Set the Bluetooth Security Mode to the organizational standard. CC ID 00587 | Configuration | Preventive | |
| Secure the Bluetooth headset connections. CC ID 00593 | Configuration | Preventive | |
| Verify wireless peripherals meet organizational security requirements. CC ID 00657 | Testing | Detective | |
| Disable automatic dial-in access to computers that have installed modems. CC ID 02036 | Configuration | Preventive | |
| Configure the "Turn off AutoPlay" setting. CC ID 01787 | Configuration | Preventive | |
| Configure the "Devices: Restrict floppy access to locally logged on users only" setting. CC ID 01732 | Configuration | Preventive | |
| Configure the "Devices: Restrict CD-ROM access to locally logged on users" setting. CC ID 01731 | Configuration | Preventive | |
| Configure the "Remove CD Burning features" setting. CC ID 04379 | Configuration | Preventive | |
| Disable Autorun. CC ID 01790 | Configuration | Preventive | |
| Disable USB devices (aka hotplugger). CC ID 01545 | Configuration | Preventive | |
| Enable or disable all unused auxiliary ports as appropriate. CC ID 06414 | Configuration | Preventive | |
| Remove rhosts support unless absolutely necessary. CC ID 01555 | Configuration | Preventive | |
| Remove weak authentication services from Pluggable Authentication Modules. CC ID 01556 | Configuration | Preventive | |
| Remove the /etc/hosts.equiv file. CC ID 01559 | Configuration | Preventive | |
| Create the /etc/ftpd/ftpusers file. CC ID 01560 | Configuration | Preventive | |
| Remove the X Wrapper and enable the X Display Manager. CC ID 01564 | Configuration | Preventive | |
| Remove empty crontab files and restrict file permissions to the file. CC ID 01571 | Configuration | Preventive | |
| Remove all compilers and assemblers from the system. CC ID 01594 | Configuration | Preventive | |
| Disable all unnecessary applications unless otherwise noted in a policy exception. CC ID 04827 | Configuration | Preventive | |
| Restrict and control the use of privileged utility programs. CC ID 12030 | Technical Security | Preventive | |
| Disable the storing of movies in cache in Apple's QuickTime. CC ID 04489 | Configuration | Preventive | |
| Install and enable file sharing utilities, as necessary. CC ID 02174 | Configuration | Preventive | |
| Disable boot services unless boot services are absolutely necessary. CC ID 01481 | Configuration | Preventive | |
| Disable File Services for Macintosh unless File Services for Macintosh are absolutely necessary. CC ID 04279 | Configuration | Preventive | |
| Configure the Trivial FTP Daemon service to organizational standards. CC ID 01484 | Configuration | Preventive | |
| Disable printer daemons or the printer service unless printer daemons or the printer service is absolutely necessary. CC ID 01487 | Configuration | Preventive | |
| Disable web server unless web server is absolutely necessary. CC ID 01490 | Configuration | Preventive | |
| Disable portmapper unless portmapper is absolutely necessary. CC ID 01492 | Configuration | Preventive | |
| Disable writesrv, pmd, and httpdlite unless writesrv, pmd, and httpdlite are absolutely necessary. CC ID 01498 | Configuration | Preventive | |
| Disable hwscan hardware detection unless hwscan hardware detection is absolutely necessary. CC ID 01504 | Configuration | Preventive | |
| Configure the “xinetd” service to organizational standards. CC ID 01509 | Configuration | Preventive | |
| Configure the /etc/xinetd.conf file permissions as appropriate. CC ID 01568 | Configuration | Preventive | |
| Disable inetd unless inetd is absolutely necessary. CC ID 01508 | Configuration | Preventive | |
| Disable Network Computing System unless it is absolutely necessary. CC ID 01497 | Configuration | Preventive | |
| Disable print server for macintosh unless print server for macintosh is absolutely necessary. CC ID 04284 | Configuration | Preventive | |
| Disable Print Server unless Print Server is absolutely necessary. CC ID 01488 | Configuration | Preventive | |
| Disable ruser/remote login/remote shell/rcp command, unless it is absolutely necessary. CC ID 01480 | Configuration | Preventive | |
| Disable xfsmd unless xfsmd is absolutely necessary. CC ID 02179 | Configuration | Preventive | |
| Disable RPC-based services unless RPC-based services are absolutely necessary. CC ID 01455 | Configuration | Preventive | |
| Disable netfs script unless netfs script is absolutely necessary. CC ID 01495 | Configuration | Preventive | |
| Disable Remote Procedure Calls unless Remote Procedure Calls are absolutely necessary and if enabled, set restrictions. CC ID 01456 | Configuration | Preventive | |
| Configure the "RPC Endpoint Mapper Client Authentication" setting. CC ID 04327 | Configuration | Preventive | |
| Disable ncpfs Script unless ncpfs Script is absolutely necessary. CC ID 01494 | Configuration | Preventive | |
| Disable sendmail server unless sendmail server is absolutely necessary. CC ID 01511 | Configuration | Preventive | |
| Disable postfix unless postfix is absolutely necessary. CC ID 01512 | Configuration | Preventive | |
| Disable directory server unless directory server is absolutely necessary. CC ID 01464 | Configuration | Preventive | |
| Disable Windows-compatibility client processes unless Windows-compatibility client processes are absolutely necessary. CC ID 01471 | Configuration | Preventive | |
| Disable Windows-compatibility servers unless Windows-compatibility servers are absolutely necessary. CC ID 01470 | Configuration | Preventive | |
| Configure the “Network File System” server to organizational standards CC ID 01472 | Configuration | Preventive | |
| Configure NFS to respond or not as appropriate to NFS client requests that do not include a User ID. CC ID 05981 | Configuration | Preventive | |
| Configure NFS with appropriate authentication methods. CC ID 05982 | Configuration | Preventive | |
| Configure the "AUTH_DES authentication mechanism" for "NFS server" setting to organizational standards. CC ID 08971 | Configuration | Preventive | |
| Configure the "AUTH_KERB authentication mechanism" for "NFS server" setting to organizational standards. CC ID 08972 | Configuration | Preventive | |
| Configure the "AUTH_NONE authentication mechanism" for "NFS server" setting to organizational standards. CC ID 08973 | Configuration | Preventive | |
| Configure the "AUTH_UNIX authentication mechanism" for "NFS server" setting to organizational standards. CC ID 08974 | Configuration | Preventive | |
| Disable webmin processes unless the webmin process is absolutely necessary. CC ID 01501 | Configuration | Preventive | |
| Disable automount daemon unless automount daemon is absolutely necessary. CC ID 01476 | Configuration | Preventive | |
| Disable CDE-related daemons unless CDE-related daemons are absolutely necessary. CC ID 01474 | Configuration | Preventive | |
| Disable finger unless finger is absolutely necessary. CC ID 01505 | Configuration | Preventive | |
| Disable Rexec unless Rexec is absolutely necessary. CC ID 02164 | Configuration | Preventive | |
| Disable Squid cache server unless Squid cache server is absolutely necessary. CC ID 01502 | Configuration | Preventive | |
| Disable Kudzu hardware detection unless Kudzu hardware detection is absolutely necessary. CC ID 01503 | Configuration | Preventive | |
| Install and enable public Instant Messaging clients as necessary. CC ID 02173 | Configuration | Preventive | |
| Disable x font server unless x font server is absolutely necessary. CC ID 01499 | Configuration | Preventive | |
| Validate, approve, and document all UNIX shells prior to use. CC ID 02161 | Establish/Maintain Documentation | Preventive | |
| Disable NFS client processes unless NFS client processes are absolutely necessary. CC ID 01475 | Configuration | Preventive | |
| Disable the use of removable storage media for systems that process restricted data or restricted information, as necessary. CC ID 06681 | Data and Information Management | Preventive | |
| Disable removable storage media daemon unless the removable storage media daemon is absolutely necessary. CC ID 01477 | Configuration | Preventive | |
| Disable GSS daemon unless GSS daemon is absolutely necessary. CC ID 01465 | Configuration | Preventive | |
| Disable Computer Browser unless Computer Browser is absolutely necessary. CC ID 01814 | Configuration | Preventive | |
| Configure the Computer Browser ResetBrowser Frames as appropriate. CC ID 05984 | Configuration | Preventive | |
| Configure the /etc/samba/smb.conf file file permissions as appropriate. CC ID 05989 | Configuration | Preventive | |
| Disable NetMeeting remote desktop sharing unless NetMeeting remote desktop sharing is absolutely necessary. CC ID 01821 | Configuration | Preventive | |
| Disable web directory browsing on all web-enabled devices. CC ID 01874 | Configuration | Preventive | |
| Disable WWW publishing services unless WWW publishing services are absolutely necessary. CC ID 01833 | Configuration | Preventive | |
| Install and enable samba, as necessary. CC ID 02175 | Configuration | Preventive | |
| Configure the samba hosts allow option with an appropriate set of networks. CC ID 05985 | Configuration | Preventive | |
| Configure the samba security option option as appropriate. CC ID 05986 | Configuration | Preventive | |
| Configure the samba encrypt passwords option as appropriate. CC ID 05987 | Configuration | Preventive | |
| Configure the Samba 'smb passwd file' option with an appropriate password file or no password file. CC ID 05988 | Configuration | Preventive | |
| Disable Usenet Internet news package file capabilities unless Usenet Internet news package file capabilities are absolutely necessary. CC ID 02176 | Configuration | Preventive | |
| Disable iPlanet Web Server unless iPlanet Web Server is absolutely necessary. CC ID 02172 | Configuration | Preventive | |
| Disable volume manager unless volume manager is absolutely necessary. CC ID 01469 | Configuration | Preventive | |
| Disable Solaris Management Console unless Solaris Management Console is absolutely necessary. CC ID 01468 | Configuration | Preventive | |
| Disable the Graphical User Interface unless it is absolutely necessary. CC ID 01466 | Configuration | Preventive | |
| Disable help and support unless help and support is absolutely necessary. CC ID 04280 | Configuration | Preventive | |
| Disable speech recognition unless speech recognition is absolutely necessary. CC ID 04491 | Configuration | Preventive | |
| Disable or secure the NetWare QuickFinder search engine. CC ID 04453 | Configuration | Preventive | |
| Disable messenger unless messenger is absolutely necessary. CC ID 01819 | Configuration | Preventive | |
| Configure the "Do not allow Windows Messenger to be run" setting. CC ID 04516 | Configuration | Preventive | |
| Configure the "Do not automatically start Windows Messenger initially" setting. CC ID 04517 | Configuration | Preventive | |
| Configure the "Turn off the Windows Messenger Customer Experience Improvement Program" setting. CC ID 04330 | Configuration | Preventive | |
| Disable automatic updates unless automatic updates are absolutely necessary. CC ID 01811 | Configuration | Preventive | |
| Configure automatic update installation and shutdown/restart options and shutdown/restart procedures to organizational standards. CC ID 05979 | Configuration | Preventive | |
| Disable Name Service Cache Daemon unless Name Service Cache Daemon is absolutely necessary. CC ID 04846 | Configuration | Preventive | |
| Prohibit R-command files from existing for root or administrator. CC ID 16322 | Configuration | Preventive | |
| Verify the /bin/rsh file exists or not, as appropriate. CC ID 05101 | Configuration | Preventive | |
| Verify the /sbin/rsh file exists or not, as appropriate. CC ID 05102 | Configuration | Preventive | |
| Verify the /usr/bin/rsh file exists or not, as appropriate. CC ID 05103 | Configuration | Preventive | |
| Verify the /etc/ftpusers file exists or not, as appropriate. CC ID 05104 | Configuration | Preventive | |
| Verify the /etc/rsh file exists or not, as appropriate. CC ID 05105 | Configuration | Preventive | |
| Install or uninstall the AIDE package, as appropriate. CC ID 05106 | Configuration | Preventive | |
| Enable the GNOME automounter (gnome-volume-manager) as necessary. CC ID 05107 | Configuration | Preventive | |
| Install or uninstall the setroubleshoot package, as appropriate. CC ID 05108 | Configuration | Preventive | |
| Configure Avahi properly. CC ID 05109 | Configuration | Preventive | |
| Install or uninstall OpenNTPD, as appropriate. CC ID 05110 | Configuration | Preventive | |
| Configure the "httpd" service to organizational standards. CC ID 05111 | Configuration | Preventive | |
| Install or uninstall the net-smtp package properly. CC ID 05112 | Configuration | Preventive | |
| Configure the apache web service properly. CC ID 05113 | Configuration | Preventive | |
| Configure the vlock package properly. CC ID 05114 | Configuration | Preventive | |
| Establish, implement, and maintain service accounts. CC ID 13861 | Technical Security | Preventive | |
| Review the ownership of service accounts, as necessary. CC ID 13863 | Technical Security | Detective | |
| Manage access credentials for service accounts. CC ID 13862 | Technical Security | Preventive | |
| Configure the daemon account properly. CC ID 05115 | Configuration | Preventive | |
| Configure the bin account properly. CC ID 05116 | Configuration | Preventive | |
| Configure the nuucp account properly. CC ID 05117 | Configuration | Preventive | |
| Configure the smmsp account properly. CC ID 05118 | Configuration | Preventive | |
| Configure the listen account properly. CC ID 05119 | Configuration | Preventive | |
| Configure the gdm account properly. CC ID 05120 | Configuration | Preventive | |
| Configure the webservd account properly. CC ID 05121 | Configuration | Preventive | |
| Configure the nobody account properly. CC ID 05122 | Configuration | Preventive | |
| Configure the noaccess account properly. CC ID 05123 | Configuration | Preventive | |
| Configure the nobody4 account properly. CC ID 05124 | Configuration | Preventive | |
| Configure the sys account properly. CC ID 05125 | Configuration | Preventive | |
| Configure the adm account properly. CC ID 05126 | Configuration | Preventive | |
| Configure the lp account properly. CC ID 05127 | Configuration | Preventive | |
| Configure the uucp account properly. CC ID 05128 | Configuration | Preventive | |
| Install or uninstall the tftp-server package, as appropriate. CC ID 05130 | Configuration | Preventive | |
| Enable the web console as necessary. CC ID 05131 | Configuration | Preventive | |
| Enable rlogin auth by Pluggable Authentication Modules or pam.d properly. CC ID 05132 | Configuration | Preventive | |
| Enable rsh auth by Pluggable Authentication Modules properly. CC ID 05133 | Configuration | Preventive | |
| Enable the listening sendmail daemon, as appropriate. CC ID 05134 | Configuration | Preventive | |
| Configure Squid properly. CC ID 05135 | Configuration | Preventive | |
| Configure the "global Package signature checking" setting to organizational standards. CC ID 08735 | Establish/Maintain Documentation | Preventive | |
| Configure the "Package signature checking" setting for "all configured repositories" to organizational standards. CC ID 08736 | Establish/Maintain Documentation | Preventive | |
| Configure the "verify against the package database" setting for "all installed software packages" to organizational standards. CC ID 08737 | Establish/Maintain Documentation | Preventive | |
| Configure the "isdn4k-utils" package to organizational standards. CC ID 08738 | Establish/Maintain Documentation | Preventive | |
| Configure the "postfix" package to organizational standards. CC ID 08739 | Establish/Maintain Documentation | Preventive | |
| Configure the "vsftpd" package to organizational standards. CC ID 08740 | Establish/Maintain Documentation | Preventive | |
| Configure the "net-snmpd" package to organizational standards. CC ID 08741 | Establish/Maintain Documentation | Preventive | |
| Configure the "rsyslog" package to organizational standards. CC ID 08742 | Establish/Maintain Documentation | Preventive | |
| Configure the "ipsec-tools" package to organizational standards. CC ID 08743 | Establish/Maintain Documentation | Preventive | |
| Configure the "pam_ccreds" package to organizational standards. CC ID 08744 | Establish/Maintain Documentation | Preventive | |
| Configure the "talk-server" package to organizational standards. CC ID 08745 | Establish/Maintain Documentation | Preventive | |
| Configure the "talk" package to organizational standards. CC ID 08746 | Establish/Maintain Documentation | Preventive | |
| Configure the "irda-utils" package to organizational standards. CC ID 08747 | Establish/Maintain Documentation | Preventive | |
| Configure the "/etc/shells" file to organizational standards. CC ID 08978 | Configuration | Preventive | |
| Configure the LDAP package to organizational standards. CC ID 09937 | Configuration | Preventive | |
| Configure the "FTP server" package to organizational standards. CC ID 09938 | Configuration | Preventive | |
| Configure the "HTTP Proxy Server" package to organizational standards. CC ID 09939 | Configuration | Preventive | |
| Configure the "prelink" package to organizational standards. CC ID 11379 | Configuration | Preventive | |
| Configure the Network Information Service (NIS) package to organizational standards. CC ID 11380 | Configuration | Preventive | |
| Configure the "time" setting to organizational standards. CC ID 11381 | Configuration | Preventive | |
| Configure the "biosdevname" package to organizational standards. CC ID 11383 | Configuration | Preventive | |
| Configure the "ufw" setting to organizational standards. CC ID 11384 | Configuration | Preventive | |
| Configure the "Devices: Allow undock without having to log on" setting. CC ID 01728 | Configuration | Preventive | |
| Limit the user roles that are allowed to format and eject removable storage media. CC ID 01729 | Configuration | Preventive | |
| Prevent users from installing printer drivers. CC ID 01730 | Configuration | Preventive | |
| Minimize the inetd.conf file and set the file to the appropriate permissions. CC ID 01506 | Configuration | Preventive | |
| Configure the unsigned driver installation behavior. CC ID 01733 | Configuration | Preventive | |
| Configure the unsigned non-driver installation behavior. CC ID 02038 | Configuration | Preventive | |
| Remove all demonstration applications on the system. CC ID 01875 | Configuration | Preventive | |
| Configure the system to disallow optional Subsystems. CC ID 04265 | Configuration | Preventive | |
| Configure the "Remove Security tab" setting. CC ID 04380 | Configuration | Preventive | |
| Disable all unnecessary services unless otherwise noted in a policy exception. CC ID 00880 [Enable only necessary services, protocols, daemons, etc., as required for the function of the system. 2.2.2] | Configuration | Preventive | |
| Disable rquotad unless rquotad is absolutely necessary. CC ID 01473 | Configuration | Preventive | |
| Configure the rquotad service to use a static port or a dynamic portmapper port as appropriate. CC ID 05983 | Configuration | Preventive | |
| Disable telnet unless telnet use is absolutely necessary. CC ID 01478 | Configuration | Preventive | |
| Disable File Transfer Protocol unless File Transfer Protocol use is absolutely necessary. CC ID 01479 | Configuration | Preventive | |
| Configure anonymous FTP to restrict the use of restricted data. CC ID 16314 | Configuration | Preventive | |
| Disable anonymous access to File Transfer Protocol. CC ID 06739 | Configuration | Preventive | |
| Disable Internet Message Access Protocol unless Internet Message Access Protocol use is absolutely necessary. CC ID 01485 | Configuration | Preventive | |
| Disable Post Office Protocol unless its use is absolutely necessary. CC ID 01486 | Configuration | Preventive | |
| Disable SQLServer processes unless SQLServer processes use is absolutely necessary. CC ID 01500 | Configuration | Preventive | |
| Disable alerter unless alerter use is absolutely necessary. CC ID 01810 | Configuration | Preventive | |
| Disable Background Intelligent Transfer Service unless Background Intelligent Transfer Service use is absolutely necessary. CC ID 01812 | Configuration | Preventive | |
| Disable ClipBook unless ClipBook use is absolutely necessary. CC ID 01813 | Configuration | Preventive | |
| Disable Fax Service unless Fax Service use is absolutely necessary. CC ID 01815 | Configuration | Preventive | |
| Disable IIS admin service unless IIS admin service use is absolutely necessary. CC ID 01817 | Configuration | Preventive | |
| Disable indexing service unless indexing service use is absolutely necessary. CC ID 01818 | Configuration | Preventive | |
| Disable net logon unless net logon use is absolutely necessary. CC ID 01820 | Configuration | Preventive | |
| Disable Remote Desktop Help Session Manager unless Remote Desktop Help Session Manager use is absolutely necessary. CC ID 01822 | Configuration | Preventive | |
| Disable the "Offer Remote Assistance" setting. CC ID 04325 | Configuration | Preventive | |
| Disable the "Solicited Remote Assistance" setting. CC ID 04326 | Configuration | Preventive | |
| Disable Remote Registry Service unless Remote Registry Service use is absolutely necessary. CC ID 01823 | Configuration | Preventive | |
| Disable Routing and Remote Access unless Routing and Remote Access use is necessary. CC ID 01824 | Configuration | Preventive | |
| Disable task scheduler unless task scheduler use is absolutely necessary. CC ID 01829 | Configuration | Preventive | |
| Disable Terminal Services unless Terminal Services use is absolutely necessary. CC ID 01831 | Configuration | Preventive | |
| Disable Universal Plug and Play device host unless Universal Plug and Play device host use is absolutely necessary. CC ID 01832 | Configuration | Preventive | |
| Disable File Service Protocol. CC ID 02167 | Configuration | Preventive | |
| Disable the License Logging Service unless unless it is absolutely necessary. CC ID 04282 | Configuration | Preventive | |
| Disable Remote Access Auto Connection Manager unless Remote Access Auto Connection Manager use is absolutely necessary. CC ID 04285 | Configuration | Preventive | |
| Disable Remote Access Connection Manager unless Remote Access Connection Manager use is absolutely necessary. CC ID 04286 | Configuration | Preventive | |
| Disable Remote Administration Service unless remote administration management is absolutely necessary. CC ID 04287 | Configuration | Preventive | |
| Disable remote installation unless remote installation is absolutely necessary. CC ID 04288 | Configuration | Preventive | |
| Disable Remote Server Manager unless Remote Server Manager is absolutely necessary. CC ID 04289 | Configuration | Preventive | |
| Disable Remote Server Monitor unless Remote Server Monitor use is absolutely necessary. CC ID 04290 | Configuration | Preventive | |
| Disable Remote Storage Notification unless Remote Storage Notification use is absolutely necessary. CC ID 04291 | Configuration | Preventive | |
| Disable Remote Storage Server unless Remote Storage Server use is absolutely necessary. CC ID 04292 | Configuration | Preventive | |
| Disable telephony services unless telephony services use is absolutely necessary. CC ID 04293 | Configuration | Preventive | |
| Disable Wireless Zero Configuration service unless Wireless Zero Configuration service use is absolutely necessary. CC ID 04294 | Configuration | Preventive | |
| Disable SSDP/UPnp unless SSDP/UPnP is absolutely necessary. CC ID 04315 | Configuration | Preventive | |
| Configure the "ntpd service" setting to organizational standards. CC ID 04911 | Configuration | Preventive | |
| Configure the "echo service" setting to organizational standards. CC ID 04912 | Configuration | Preventive | |
| Configure the "echo-dgram service" setting to organizational standards. CC ID 09927 | Configuration | Preventive | |
| Configure the "echo-stream service" setting to organizational standards. CC ID 09928 | Configuration | Preventive | |
| Configure the "AllowTcpForwarding" to organizational standards. CC ID 15327 | Configuration | Preventive | |
| Configure the "tcpmux-server" setting to organizational standards. CC ID 09929 | Configuration | Preventive | |
| Configure the "netstat service" setting to organizational standards. CC ID 04913 | Configuration | Preventive | |
| Configure the "character generator protocol (chargen)" setting to organizational standards. CC ID 04914 | Configuration | Preventive | |
| Configure the "tftpd service" setting to organizational standards. CC ID 04915 | Configuration | Preventive | |
| Configure the "walld service" setting to organizational standards. CC ID 04916 | Configuration | Preventive | |
| Configure the "rstatd service" setting to organizational standards. CC ID 04917 | Configuration | Preventive | |
| Configure the "sprayd service" setting to organizational standards. CC ID 04918 | Configuration | Preventive | |
| Configure the "rusersd service" setting to organizational standards. CC ID 04919 | Configuration | Preventive | |
| Configure the "inn service" setting to organizational standards. CC ID 04920 | Configuration | Preventive | |
| Configure the "font service" setting to organizational standards. CC ID 04921 | Configuration | Preventive | |
| Configure the "ident service" setting to organizational standards. CC ID 04922 | Configuration | Preventive | |
| Configure the "rexd service" setting to organizational standards. CC ID 04923 | Configuration | Preventive | |
| Configure the "daytime service" setting to organizational standards. CC ID 04924 | Configuration | Preventive | |
| Configure the "dtspc (cde-spc) service" setting to organizational standards. CC ID 04925 | Configuration | Preventive | |
| Configure the "cmsd service" setting to organizational standards. CC ID 04926 | Configuration | Preventive | |
| Configure the "ToolTalk service" setting to organizational standards. CC ID 04927 | Configuration | Preventive | |
| Configure the "discard service" setting to organizational standards. CC ID 04928 | Configuration | Preventive | |
| Configure the "vino-server service" setting to organizational standards. CC ID 04929 | Configuration | Preventive | |
| Configure the "bind service" setting to organizational standards. CC ID 04930 | Configuration | Preventive | |
| Configure the "nfsd service" setting to organizational standards. CC ID 04931 | Configuration | Preventive | |
| Configure the "mountd service" setting to organizational standards. CC ID 04932 | Configuration | Preventive | |
| Configure the "statd service" setting to organizational standards. CC ID 04933 | Configuration | Preventive | |
| Configure the "lockd service" setting to organizational standards. CC ID 04934 | Configuration | Preventive | |
| Configure the lockd service to use a static port or a dynamic portmapper port for User Datagram Protocol as appropriate. CC ID 05980 | Configuration | Preventive | |
| Configure the "decode sendmail alias" setting to organizational standards. CC ID 04935 | Configuration | Preventive | |
| Configure the sendmail vrfy command, as appropriate. CC ID 04936 | Configuration | Preventive | |
| Configure the sendmail expn command, as appropriate. CC ID 04937 | Configuration | Preventive | |
| Configure .netrc with an appropriate set of services. CC ID 04938 | Configuration | Preventive | |
| Enable NFS insecure locks as necessary. CC ID 04939 | Configuration | Preventive | |
| Configure the "X server ac" setting to organizational standards. CC ID 04940 | Configuration | Preventive | |
| Configure the "X server core" setting to organizational standards. CC ID 04941 | Configuration | Preventive | |
| Enable or disable the setroubleshoot service, as appropriate. CC ID 05540 | Configuration | Preventive | |
| Configure the "X server nolock" setting to organizational standards. CC ID 04942 | Configuration | Preventive | |
| Enable or disable the mcstrans service, as appropriate. CC ID 05541 | Configuration | Preventive | |
| Configure the "PAM console" setting to organizational standards. CC ID 04943 | Configuration | Preventive | |
| Enable or disable the restorecond service, as appropriate. CC ID 05542 | Configuration | Preventive | |
| Enable the rhnsd service as necessary. CC ID 04944 | Configuration | Preventive | |
| Enable the yum-updatesd service as necessary. CC ID 04945 | Configuration | Preventive | |
| Enable the autofs service as necessary. CC ID 04946 | Configuration | Preventive | |
| Enable the ip6tables service as necessary. CC ID 04947 | Configuration | Preventive | |
| Configure syslog to organizational standards. CC ID 04949 | Configuration | Preventive | |
| Enable the auditd service as necessary. CC ID 04950 | Configuration | Preventive | |
| Enable the logwatch service as necessary. CC ID 04951 | Configuration | Preventive | |
| Enable the logrotate (syslog rotator) service as necessary. CC ID 04952 | Configuration | Preventive | |
| Install or uninstall the telnet server package, only if absolutely necessary. CC ID 04953 | Configuration | Preventive | |
| Enable the ypbind service as necessary. CC ID 04954 | Configuration | Preventive | |
| Enable the ypserv service as necessary. CC ID 04955 | Configuration | Preventive | |
| Enable the firstboot service as necessary. CC ID 04956 | Configuration | Preventive | |
| Enable the gpm service as necessary. CC ID 04957 | Configuration | Preventive | |
| Enable the irqbalance service as necessary. CC ID 04958 | Configuration | Preventive | |
| Enable the isdn service as necessary. CC ID 04959 | Configuration | Preventive | |
| Enable the kdump service as necessary. CC ID 04960 | Configuration | Preventive | |
| Enable the mdmonitor service as necessary. CC ID 04961 | Configuration | Preventive | |
| Enable the microcode_ctl service as necessary. CC ID 04962 | Configuration | Preventive | |
| Enable the pcscd service as necessary. CC ID 04963 | Configuration | Preventive | |
| Enable the smartd service as necessary. CC ID 04964 | Configuration | Preventive | |
| Enable the readahead_early service as necessary. CC ID 04965 | Configuration | Preventive | |
| Enable the readahead_later service as necessary. CC ID 04966 | Configuration | Preventive | |
| Enable the messagebus service as necessary. CC ID 04967 | Configuration | Preventive | |
| Enable the haldaemon service as necessary. CC ID 04968 | Configuration | Preventive | |
| Enable the apmd service as necessary. CC ID 04969 | Configuration | Preventive | |
| Enable the acpid service as necessary. CC ID 04970 | Configuration | Preventive | |
| Enable the cpuspeed service as necessary. CC ID 04971 | Configuration | Preventive | |
| Enable the network service as necessary. CC ID 04972 | Configuration | Preventive | |
| Enable the hidd service as necessary. CC ID 04973 | Configuration | Preventive | |
| Enable the crond service as necessary. CC ID 04974 | Configuration | Preventive | |
| Install and enable the anacron service as necessary. CC ID 04975 | Configuration | Preventive | |
| Enable the xfs service as necessary. CC ID 04976 | Configuration | Preventive | |
| Install and enable the Avahi daemon service, as necessary. CC ID 04977 | Configuration | Preventive | |
| Enable the CUPS service, as necessary. CC ID 04978 | Configuration | Preventive | |
| Enable the hplip service as necessary. CC ID 04979 | Configuration | Preventive | |
| Enable the dhcpd service as necessary. CC ID 04980 | Configuration | Preventive | |
| Enable the nfslock service as necessary. CC ID 04981 | Configuration | Preventive | |
| Enable the rpcgssd service as necessary. CC ID 04982 | Configuration | Preventive | |
| Enable the rpcidmapd service as necessary. CC ID 04983 | Configuration | Preventive | |
| Enable the rpcsvcgssd service as necessary. CC ID 04985 | Configuration | Preventive | |
| Configure root squashing for all NFS shares, as appropriate. CC ID 04986 | Configuration | Preventive | |
| Configure write access to NFS shares, as appropriate. CC ID 04987 | Configuration | Preventive | |
| Configure the named service, as appropriate. CC ID 04988 | Configuration | Preventive | |
| Configure the vsftpd service, as appropriate. CC ID 04989 | Configuration | Preventive | |
| Configure the “dovecot” service to organizational standards. CC ID 04990 | Configuration | Preventive | |
| Configure Server Message Block (SMB) to organizational standards. CC ID 04991 | Configuration | Preventive | |
| Enable the snmpd service as necessary. CC ID 04992 | Configuration | Preventive | |
| Enable the calendar manager as necessary. CC ID 04993 | Configuration | Preventive | |
| Enable the GNOME logon service as necessary. CC ID 04994 | Configuration | Preventive | |
| Enable the WBEM services as necessary. CC ID 04995 | Configuration | Preventive | |
| Enable the keyserv service as necessary. CC ID 04996 | Configuration | Preventive | |
| Enable the Generic Security Service daemon as necessary. CC ID 04997 | Configuration | Preventive | |
| Enable the volfs service as necessary. CC ID 04998 | Configuration | Preventive | |
| Enable the smserver service as necessary. CC ID 04999 | Configuration | Preventive | |
| Enable the mpxio-upgrade service as necessary. CC ID 05000 | Configuration | Preventive | |
| Enable the metainit service as necessary. CC ID 05001 | Configuration | Preventive | |
| Enable the meta service as necessary. CC ID 05003 | Configuration | Preventive | |
| Enable the metaed service as necessary. CC ID 05004 | Configuration | Preventive | |
| Enable the metamh service as necessary. CC ID 05005 | Configuration | Preventive | |
| Enable the Local RPC Port Mapping Service as necessary. CC ID 05006 | Configuration | Preventive | |
| Enable the Kerberos kadmind service as necessary. CC ID 05007 | Configuration | Preventive | |
| Enable the Kerberos krb5kdc service as necessary. CC ID 05008 | Configuration | Preventive | |
| Enable the Kerberos kpropd service as necessary. CC ID 05009 | Configuration | Preventive | |
| Enable the Kerberos ktkt_warnd service as necessary. CC ID 05010 | Configuration | Preventive | |
| Enable the sadmin service as necessary. CC ID 05011 | Configuration | Preventive | |
| Enable the IPP listener as necessary. CC ID 05012 | Configuration | Preventive | |
| Enable the serial port listener as necessary. CC ID 05013 | Configuration | Preventive | |
| Enable the Smart Card Helper service as necessary. CC ID 05014 | Configuration | Preventive | |
| Enable the Application Management service as necessary. CC ID 05015 | Configuration | Preventive | |
| Enable the Resultant Set of Policy (RSoP) Provider service as necessary. CC ID 05016 | Configuration | Preventive | |
| Enable the Network News Transport Protocol service as necessary. CC ID 05017 | Configuration | Preventive | |
| Enable the network Dynamic Data Exchange service as necessary. CC ID 05018 | Configuration | Preventive | |
| Enable the Distributed Link Tracking Server service as necessary. CC ID 05019 | Configuration | Preventive | |
| Enable the RARP service as necessary. CC ID 05020 | Configuration | Preventive | |
| Configure the ".NET Framework service" setting to organizational standards. CC ID 05021 | Configuration | Preventive | |
| Enable the Network DDE Share Database Manager service as necessary. CC ID 05022 | Configuration | Preventive | |
| Enable the Certificate Services service as necessary. CC ID 05023 | Configuration | Preventive | |
| Configure the ATI hotkey poller service properly. CC ID 05024 | Configuration | Preventive | |
| Configure the Interix Subsystem Startup service properly. CC ID 05025 | Configuration | Preventive | |
| Configure the Cluster Service service properly. CC ID 05026 | Configuration | Preventive | |
| Configure the IAS Jet Database Access service properly. CC ID 05027 | Configuration | Preventive | |
| Configure the IAS service properly. CC ID 05028 | Configuration | Preventive | |
| Configure the IP Version 6 Helper service properly. CC ID 05029 | Configuration | Preventive | |
| Configure "Message Queuing service" to organizational standards. CC ID 05030 | Configuration | Preventive | |
| Configure the Message Queuing Down Level Clients service properly. CC ID 05031 | Configuration | Preventive | |
| Configure the Windows Management Instrumentation Driver Extensions service properly. CC ID 05033 | Configuration | Preventive | |
| Configure the TCP/IP NetBIOS Helper Service properly. CC ID 05034 | Configuration | Preventive | |
| Configure the Utility Manager service properly. CC ID 05035 | Configuration | Preventive | |
| Configure the secondary logon service properly. CC ID 05036 | Configuration | Preventive | |
| Configure the Windows Management Instrumentation service properly. CC ID 05037 | Configuration | Preventive | |
| Configure the Workstation service properly. CC ID 05038 | Configuration | Preventive | |
| Configure the Windows Installer service properly. CC ID 05039 | Configuration | Preventive | |
| Configure the Windows System Resource Manager service properly. CC ID 05040 | Configuration | Preventive | |
| Configure the WinHTTP Web Proxy Auto-Discovery Service properly. CC ID 05041 | Configuration | Preventive | |
| Configure the Services for Unix Client for NFS service properly. CC ID 05042 | Configuration | Preventive | |
| Configure the Services for Unix Server for PCNFS service properly. CC ID 05043 | Configuration | Preventive | |
| Configure the Services for Unix Perl Socket service properly. CC ID 05044 | Configuration | Preventive | |
| Configure the Services for Unix User Name Mapping service properly. CC ID 05045 | Configuration | Preventive | |
| Configure the Services for Unix Windows Cron service properly. CC ID 05046 | Configuration | Preventive | |
| Configure the Windows Media Services service properly. CC ID 05047 | Configuration | Preventive | |
| Configure the Services for Netware Service Advertising Protocol (SAP) Agent properly. CC ID 05048 | Configuration | Preventive | |
| Configure the Web Element Manager service properly. CC ID 05049 | Configuration | Preventive | |
| Configure the Remote Installation Services Single Instance Storage (SIS) Groveler service properly. CC ID 05050 | Configuration | Preventive | |
| Configure the Terminal Services Licensing service properly. CC ID 05051 | Configuration | Preventive | |
| Configure the COM+ Event System service properly. CC ID 05052 | Configuration | Preventive | |
| Configure the Event Log service properly. CC ID 05053 | Configuration | Preventive | |
| Configure the Infrared Monitor service properly. CC ID 05054 | Configuration | Preventive | |
| Configure the Services for Unix Server for NFS service properly. CC ID 05055 | Configuration | Preventive | |
| Configure the System Event Notification Service properly. CC ID 05056 | Configuration | Preventive | |
| Configure the NTLM Security Support Provider service properly. CC ID 05057 | Configuration | Preventive | |
| Configure the Performance Logs and Alerts service properly. CC ID 05058 | Configuration | Preventive | |
| Configure the Protected Storage service properly. CC ID 05059 | Configuration | Preventive | |
| Configure the QoS Admission Control (RSVP) service properly. CC ID 05060 | Configuration | Preventive | |
| Configure the Remote Procedure Call service properly. CC ID 05061 | Configuration | Preventive | |
| Configure the Removable Storage service properly. CC ID 05062 | Configuration | Preventive | |
| Configure the Server service properly. CC ID 05063 | Configuration | Preventive | |
| Configure the Security Accounts Manager service properly. CC ID 05064 | Configuration | Preventive | |
| Configure the “Network Connections” service to organizational standards. CC ID 05065 | Configuration | Preventive | |
| Configure the Logical Disk Manager service properly. CC ID 05066 | Configuration | Preventive | |
| Configure the Logical Disk Manager Administrative Service properly. CC ID 05067 | Configuration | Preventive | |
| Configure the File Replication service properly. CC ID 05068 | Configuration | Preventive | |
| Configure the Kerberos Key Distribution Center service properly. CC ID 05069 | Configuration | Preventive | |
| Configure the Intersite Messaging service properly. CC ID 05070 | Configuration | Preventive | |
| Configure the Remote Procedure Call locator service properly. CC ID 05071 | Configuration | Preventive | |
| Configure the Distributed File System service properly. CC ID 05072 | Configuration | Preventive | |
| Configure the Windows Internet Name Service service properly. CC ID 05073 | Configuration | Preventive | |
| Configure the FTP Publishing Service properly. CC ID 05074 | Configuration | Preventive | |
| Configure the Windows Search service properly. CC ID 05075 | Configuration | Preventive | |
| Configure the Microsoft Peer-to-Peer Networking Services service properly. CC ID 05076 | Configuration | Preventive | |
| Configure the Remote Shell service properly. CC ID 05077 | Configuration | Preventive | |
| Configure Simple TCP/IP services to organizational standards. CC ID 05078 | Configuration | Preventive | |
| Configure the Print Services for Unix service properly. CC ID 05079 | Configuration | Preventive | |
| Configure the File Shares service to organizational standards. CC ID 05080 | Configuration | Preventive | |
| Configure the NetMeeting service properly. CC ID 05081 | Configuration | Preventive | |
| Configure the Application Layer Gateway service properly. CC ID 05082 | Configuration | Preventive | |
| Configure the Cryptographic Services service properly. CC ID 05083 | Configuration | Preventive | |
| Configure the Help and Support Service properly. CC ID 05084 | Configuration | Preventive | |
| Configure the Human Interface Device Access service properly. CC ID 05085 | Configuration | Preventive | |
| Configure the IMAPI CD-Burning COM service properly. CC ID 05086 | Configuration | Preventive | |
| Configure the MS Software Shadow Copy Provider service properly. CC ID 05087 | Configuration | Preventive | |
| Configure the Network Location Awareness service properly. CC ID 05088 | Configuration | Preventive | |
| Configure the Portable Media Serial Number Service service properly. CC ID 05089 | Configuration | Preventive | |
| Configure the System Restore Service service properly. CC ID 05090 | Configuration | Preventive | |
| Configure the Themes service properly. CC ID 05091 | Configuration | Preventive | |
| Configure the Uninterruptible Power Supply service properly. CC ID 05092 | Configuration | Preventive | |
| Configure the Upload Manager service properly. CC ID 05093 | Configuration | Preventive | |
| Configure the Volume Shadow Copy Service properly. CC ID 05094 | Configuration | Preventive | |
| Configure the WebClient service properly. CC ID 05095 | Configuration | Preventive | |
| Configure the Windows Audio service properly. CC ID 05096 | Configuration | Preventive | |
| Configure the Windows Image Acquisition service properly. CC ID 05097 | Configuration | Preventive | |
| Configure the WMI Performance Adapter service properly. CC ID 05098 | Configuration | Preventive | |
| Enable file uploads via vsftpd service, as appropriate. CC ID 05100 | Configuration | Preventive | |
| Disable or remove sadmind unless use of sadmind is absolutely necessary. CC ID 06885 | Configuration | Preventive | |
| Configure the "SNMP version 1" setting to organizational standards. CC ID 08976 | Configuration | Preventive | |
| Configure the "xdmcp service" setting to organizational standards. CC ID 08985 | Configuration | Preventive | |
| Disable the automatic display of remote images in HTML-formatted e-mail. CC ID 04494 | Configuration | Preventive | |
| Disable Remote Apply Events unless Remote Apply Events are absolutely necessary. CC ID 04495 | Configuration | Preventive | |
| Disable Xgrid unless Xgrid is absolutely necessary. CC ID 04496 | Configuration | Preventive | |
| Configure the "Do Not Show First Use Dialog Boxes" setting for Windows Media Player properly. CC ID 05136 | Configuration | Preventive | |
| Disable Core dumps unless absolutely necessary. CC ID 01507 | Configuration | Preventive | |
| Set hard core dump size limits, as appropriate. CC ID 05990 | Configuration | Preventive | |
| Configure the "Prevent Desktop Shortcut Creation" setting for Windows Media Player properly. CC ID 05137 | Configuration | Preventive | |
| Set the Squid EUID and Squid GUID to an appropriate user and group. CC ID 05138 | Configuration | Preventive | |
| Verify groups referenced in /etc/passwd are included in /etc/group, as appropriate. CC ID 05139 | Configuration | Preventive | |
| Use of the cron.allow file should be enabled or disabled as appropriate. CC ID 06014 | Configuration | Preventive | |
| Use of the at.allow file should be enabled or disabled as appropriate. CC ID 06015 | Configuration | Preventive | |
| Enable or disable the Dynamic DNS feature of the DHCP Server as appropriate. CC ID 06039 | Configuration | Preventive | |
| Enable or disable each user's Screen saver software, as necessary. CC ID 06050 | Configuration | Preventive | |
| Disable any unnecessary scripting languages, as necessary. CC ID 12137 | Configuration | Preventive | |
| Establish, implement, and maintain authenticators. CC ID 15305 | Technical Security | Preventive | |
| Establish, implement, and maintain an authenticator standard. CC ID 01702 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an authenticator management system. CC ID 12031 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain authenticator procedures. CC ID 12002 | Establish/Maintain Documentation | Preventive | |
| Configure authenticators to comply with organizational standards. CC ID 06412 | Configuration | Preventive | |
| Configure the system to require new users to change their authenticator on first use. CC ID 05268 [{passphrase} Set passwords/phrases for first-time use and upon reset to a unique value for each user, and change immediately after the first use. 8.2.6] | Configuration | Preventive | |
| Configure authenticators so that group authenticators or shared authenticators are prohibited. CC ID 00519 [Do not use group, shared, or generic IDs, passwords, or other authentication methods as follows: - Generic user IDs are disabled or removed. - Shared user IDs do not exist for system administration and other critical functions. - Shared and generic user IDs are not used to administer any system components. 8.5 Do not use group, shared, or generic IDs, passwords, or other authentication methods as follows: - Generic user IDs are disabled or removed. - Shared user IDs do not exist for system administration and other critical functions. - Shared and generic user IDs are not used to administer any system components. 8.5] | Configuration | Preventive | |
| Change the authenticator for shared accounts when the group membership changes. CC ID 14249 | Business Processes | Corrective | |
| Change all default authenticators. CC ID 15309 [Do not use vendor-supplied defaults for system passwords and other security parameters. Requirement 2 For wireless environments connected to the cardholder data environment or transmitting cardholder data, change ALL wireless vendor defaults at installation, including but not limited to default wireless encryption keys, passwords, and SNMP community strings. 2.1.1] | Configuration | Preventive | |
| Configure the system security parameters to prevent system misuse or information misappropriation. CC ID 00881 [Configure system security parameters to prevent misuse. 2.2.4] | Configuration | Preventive | |
| Configure Hypertext Transfer Protocol headers in accordance with organizational standards. CC ID 16851 | Configuration | Preventive | |
| Configure Hypertext Transfer Protocol security headers in accordance with organizational standards. CC ID 16488 | Configuration | Preventive | |
| Configure "Enable Structured Exception Handling Overwrite Protection (SEHOP)" to organizational standards. CC ID 15385 | Configuration | Preventive | |
| Configure Microsoft Attack Surface Reduction rules in accordance with organizational standards. CC ID 16478 | Configuration | Preventive | |
| Configure "Remote host allows delegation of non-exportable credentials" to organizational standards. CC ID 15379 | Configuration | Preventive | |
| Configure "Configure enhanced anti-spoofing" to organizational standards. CC ID 15376 | Configuration | Preventive | |
| Configure "Block user from showing account details on sign-in" to organizational standards. CC ID 15374 | Configuration | Preventive | |
| Configure "Configure Attack Surface Reduction rules" to organizational standards. CC ID 15370 | Configuration | Preventive | |
| Configure "Turn on e-mail scanning" to organizational standards. CC ID 15361 | Configuration | Preventive | |
| Configure "Prevent users and apps from accessing dangerous websites" to organizational standards. CC ID 15359 | Configuration | Preventive | |
| Configure "Enumeration policy for external devices incompatible with Kernel DMA Protection" to organizational standards. CC ID 15352 | Configuration | Preventive | |
| Configure "Prevent Internet Explorer security prompt for Windows Installer scripts" to organizational standards. CC ID 15351 | Configuration | Preventive | |
| Store state information from applications and software separately. CC ID 14767 | Configuration | Preventive | |
| Configure the "aufs storage" to organizational standards. CC ID 14461 | Configuration | Preventive | |
| Configure the "AppArmor Profile" to organizational standards. CC ID 14496 | Configuration | Preventive | |
| Configure the "device" argument to organizational standards. CC ID 14536 | Configuration | Preventive | |
| Configure the "Docker" group ownership to organizational standards. CC ID 14495 | Configuration | Preventive | |
| Configure the "Docker" user ownership to organizational standards. CC ID 14505 | Configuration | Preventive | |
| Configure "Allow upload of User Activities" to organizational standards. CC ID 15338 | Configuration | Preventive | |
| Configure the system to restrict Core dumps to a protected directory. CC ID 01513 | Configuration | Preventive | |
| Configure the system to enable Stack protection. CC ID 01514 | Configuration | Preventive | |
| Configure the system to restrict NFS client requests to privileged ports. CC ID 01515 | Configuration | Preventive | |
| Configure the system to use better TCP Sequence Numbers. CC ID 01516 | Configuration | Preventive | |
| Configure the system to a default secure level. CC ID 01519 | Configuration | Preventive | |
| Configure the system to block users from viewing un-owned processes. CC ID 01520 | Configuration | Preventive | |
| Configure the system to block users from viewing processes in other groups. CC ID 01521 | Configuration | Preventive | |
| Add the "nosuid" option to /etc/rmmount.conf. CC ID 01532 | Configuration | Preventive | |
| Configure the system to block non-privileged mountd requests. CC ID 01533 | Configuration | Preventive | |
| Use host-based or Internet Protocol-based export lists for mountd. CC ID 06887 | Configuration | Preventive | |
| Add the "nodev" option to the appropriate partitions in /etc/fstab. CC ID 01534 | Configuration | Preventive | |
| Add the "nosuid" option and "nodev" option for removable storage media in the /etc/fstab file. CC ID 01535 | Configuration | Preventive | |
| Configure the sticky bit on world-writable directories. CC ID 01540 | Configuration | Preventive | |
| Verify system files are not world-writable. CC ID 01546 | Technical Security | Preventive | |
| Verify backup directories containing patches are not accessible. CC ID 01547 | Technical Security | Preventive | |
| Run hp_checkperms. CC ID 01548 | Configuration | Preventive | |
| Run fix-modes. CC ID 01549 | Configuration | Preventive | |
| Convert the system to "Trusted Mode", if possible. CC ID 01550 | Configuration | Preventive | |
| Configure the sadmind service to a higher Security level. CC ID 01551 | Configuration | Preventive | |
| Use host-based or Internet Protocol-based export lists for sadmind. CC ID 06886 | Configuration | Preventive | |
| Find files and directories with extended attributes. CC ID 01552 | Technical Security | Detective | |
| Configure all.rhosts files to be readable only by their owners. CC ID 01557 | Configuration | Preventive | |
| Set the symlink /etc/hosts.equiv file to /dev/null. CC ID 01558 | Configuration | Preventive | |
| Configure the default locking Screen saver timeout to a predetermined time period. CC ID 01570 | Configuration | Preventive | |
| Configure the Security Center (Domain PCs only). CC ID 01967 | Configuration | Preventive | |
| Configure the system to immediately protect the computer after the Screen saver is activated by setting the time before the Screen saver grace period expires to a predefined amount. CC ID 04276 | Configuration | Preventive | |
| Configure the system to require a password before it unlocks the Screen saver software. CC ID 04443 | Configuration | Preventive | |
| Enable the safe DLL search mode. CC ID 04273 | Configuration | Preventive | |
| Configure the computer to stop generating 8.3 filename formats. CC ID 04274 | Configuration | Preventive | |
| Configure the system to use certificate rules for software restriction policies. CC ID 04266 | Configuration | Preventive | |
| Configure the "Do not allow drive redirection" setting. CC ID 04316 | Configuration | Preventive | |
| Configure the "Turn off the 'Publish to Web' task for files and folders" setting. CC ID 04328 | Configuration | Preventive | |
| Configure the "Turn off Internet download for Web publishing and online ordering wizards" setting. CC ID 04329 | Configuration | Preventive | |
| Configure the "Turn off Search Companion content file updates" setting. CC ID 04331 | Configuration | Preventive | |
| Configure the "Turn off printing over HTTP" setting. CC ID 04332 | Configuration | Preventive | |
| Configure the "Turn off downloading of print drivers over HTTP" setting. CC ID 04333 | Configuration | Preventive | |
| Configure the "Turn off Windows Update device driver searching" setting. CC ID 04334 | Configuration | Preventive | |
| Configure the "Display Error Notification" setting to organizational standards. CC ID 04335 | Configuration | Preventive | |
| Configure the "Turn off Windows error reporting" setting to organizational standards. CC ID 04336 | Configuration | Preventive | |
| Configure the "Disable software update shell notifications on program launch" setting. CC ID 04339 | Configuration | Preventive | |
| Configure the "Make proxy settings per-machine (rather than per-user)" setting. CC ID 04341 | Configuration | Preventive | |
| Configure the "Security Zones: Do not allow users to add/delete sites" setting. CC ID 04342 | Configuration | Preventive | |
| Configure the "Security Zones: Do not allow users to change policies" setting. CC ID 04343 | Configuration | Preventive | |
| Configure the "Security Zones: Use only machine settings" setting. CC ID 04344 | Configuration | Preventive | |
| Configure the "Allow software to run or install even if the signature is invalid" setting. CC ID 04346 | Configuration | Preventive | |
| Configure the "internet explorer processes (scripted window security restrictions)" setting. CC ID 04350 | Configuration | Preventive | |
| Configure the "internet explorer processes (zone elevation protection)" setting. CC ID 04351 | Configuration | Preventive | |
| Configure the "Prevent access to registry editing tools" setting. CC ID 04355 | Configuration | Preventive | |
| Configure the "Do not preserve zone information in file attachments" setting. CC ID 04357 | Configuration | Preventive | |
| Configure the "Hide mechanisms to remove zone information" setting. CC ID 04358 | Configuration | Preventive | |
| Configure the "Notify antivirus programs when opening attachments" setting. CC ID 04359 | Configuration | Preventive | |
| Configure the "Configure Outlook Express" setting. CC ID 04360 | Configuration | Preventive | |
| Configure the "Disable Changing Automatic Configuration settings" setting. CC ID 04361 | Configuration | Preventive | |
| Configure the "Disable changing certificate settings" setting. CC ID 04362 | Configuration | Preventive | |
| Configure the "Disable changing connection settings" setting. CC ID 04363 | Configuration | Preventive | |
| Configure the "Disable changing proxy settings" setting. CC ID 04364 | Configuration | Preventive | |
| Configure the "Turn on the auto-complete feature for user names and passwords on forms" setting. CC ID 04365 | Configuration | Preventive | |
| Configure the NetWare bindery contexts. CC ID 04444 | Configuration | Preventive | |
| Configure the NetWare console's SECURE.NCF settings. CC ID 04445 | Configuration | Preventive | |
| Configure the CPU Hog Timeout setting. CC ID 04446 | Configuration | Preventive | |
| Configure the "Check Equivalent to Me" setting. CC ID 04463 | Configuration | Preventive | |
| Configure the /etc/sshd_config file. CC ID 04475 | Configuration | Preventive | |
| Configure the .Mac preferences. CC ID 04484 | Configuration | Preventive | |
| Configure the Fast User Switching setting. CC ID 04485 | Configuration | Preventive | |
| Configure the Recent Items List (servers, applications, documents) setting. CC ID 04486 | Configuration | Preventive | |
| Configure Apple's Dock preferences. CC ID 04487 | Configuration | Preventive | |
| Configure the "ulimit" to organizational standards. CC ID 14499 | Configuration | Preventive | |
| Configure the Energy Saver preferences. CC ID 04488 | Configuration | Preventive | |
| Configure the local system search preferences to directories that do not contain restricted data or restricted information. CC ID 04492 | Configuration | Preventive | |
| Digitally sign and encrypt e-mail, as necessary. CC ID 04493 | Technical Security | Preventive | |
| Manage temporary files, as necessary. CC ID 04847 | Technical Security | Preventive | |
| Configure the computer-wide, rather than per-user, use of Microsoft Spynet Reporting for Windows Defender properly. CC ID 05282 | Configuration | Preventive | |
| Enable or disable the ability of users to perform interactive startups, as appropriate. CC ID 05283 | Configuration | Preventive | |
| Set the /etc/passwd file's NIS file inclusions properly. CC ID 05284 | Configuration | Preventive | |
| Configure the "Turn off Help Ratings" setting. CC ID 05285 | Configuration | Preventive | |
| Configure the "Decoy Admin Account Not Disabled" policy properly. CC ID 05286 | Configuration | Preventive | |
| Configure the "Additional restrictions for anonymous connections" policy properly. CC ID 05287 | Configuration | Preventive | |
| Configure the "Anonymous access to the registry" policy properly. CC ID 05288 | Configuration | Preventive | |
| Configure the File System Checker and Popups setting. CC ID 05289 | Configuration | Preventive | |
| Configure the System File Checker setting. CC ID 05290 | Configuration | Preventive | |
| Configure the System File Checker Progress Meter setting. CC ID 05291 | Configuration | Preventive | |
| Configure the Protect Kernel object attributes properly. CC ID 05292 | Configuration | Preventive | |
| Configure the "Deleted Cached Copies of Roaming Profiles" policy properly. CC ID 05293 | Configuration | Preventive | |
| Verify that the X*.hosts file lists all authorized X-clients. CC ID 05294 | Configuration | Preventive | |
| Verify all files are owned by an existing account and group. CC ID 05295 | Configuration | Preventive | |
| Verify programs executed through the aliases file are owned by an appropriate user or group. CC ID 05296 | Configuration | Preventive | |
| Verify programs executed through the aliases file are stored in a directory with an appropriate owner. CC ID 05297 | Configuration | Preventive | |
| Verify the at directory is owned by an appropriate user or group. CC ID 05298 | Configuration | Preventive | |
| Verify the at.allow file is owned by an appropriate user or group. CC ID 05299 | Configuration | Preventive | |
| Verify the at.deny file is owned by an appropriate user or group. CC ID 05300 | Configuration | Preventive | |
| Verify the crontab directories are owned by an appropriate user or group. CC ID 05302 | Configuration | Preventive | |
| Verify the cron.allow file is owned by an appropriate user or group. CC ID 05303 | Configuration | Preventive | |
| Verify the cron.deny file is owned by an appropriate user or group. CC ID 05304 | Configuration | Preventive | |
| Verify crontab files are owned by an appropriate user or group. CC ID 05305 | Configuration | Preventive | |
| Verify the /etc/resolv.conf file is owned by an appropriate user or group. CC ID 05306 | Configuration | Preventive | |
| Verify the /etc/named.boot file is owned by an appropriate user or group. CC ID 05307 | Configuration | Preventive | |
| Verify the /etc/named.conf file is owned by an appropriate user or group. CC ID 05308 | Configuration | Preventive | |
| Verify the /var/named/chroot/etc/named.conf file is owned by an appropriate user or group. CC ID 05309 | Configuration | Preventive | |
| Verify home directories are owned by an appropriate user or group. CC ID 05310 | Configuration | Preventive | |
| Verify the inetd.conf file is owned by an appropriate user or group. CC ID 05311 | Configuration | Preventive | |
| Verify /etc/exports are owned by an appropriate user or group. CC ID 05312 | Configuration | Preventive | |
| Verify exported files and exported directories are owned by an appropriate user or group. CC ID 05313 | Configuration | Preventive | |
| Restrict the exporting of files and directories, as necessary. CC ID 16315 | Technical Security | Preventive | |
| Verify the /etc/services file is owned by an appropriate user or group. CC ID 05314 | Configuration | Preventive | |
| Verify the /etc/notrouter file is owned by an appropriate user or group. CC ID 05315 | Configuration | Preventive | |
| Verify the /etc/samba/smb.conf file is owned by an appropriate user or group. CC ID 05316 | Configuration | Preventive | |
| Verify the smbpasswd file and smbpasswd executable are owned by an appropriate user or group. CC ID 05317 | Configuration | Preventive | |
| Verify the aliases file is owned by an appropriate user or group. CC ID 05318 | Configuration | Preventive | |
| Verify the log file configured to capture critical sendmail messages is owned by an appropriate user or group. CC ID 05319 | Log Management | Preventive | |
| Verify Shell files are owned by an appropriate user or group. CC ID 05320 | Configuration | Preventive | |
| Verify the snmpd.conf file is owned by an appropriate user or group. CC ID 05321 | Configuration | Preventive | |
| Verify the /etc/syslog.conf file is owned by an appropriate user or group. CC ID 05322 | Configuration | Preventive | |
| Verify the traceroute executable is owned by an appropriate user or group. CC ID 05323 | Configuration | Preventive | |
| Verify the /usr/lib/sendmail file is owned by an appropriate user or group. CC ID 05324 | Technical Security | Preventive | |
| Verify the /etc/passwd file is owned by an appropriate user or group. CC ID 05325 | Configuration | Preventive | |
| Verify the /etc/shadow file is owned by an appropriate user or group. CC ID 05326 | Configuration | Preventive | |
| Verify the /etc/security/audit/config file is owned by an appropriate user or group. CC ID 05327 | Configuration | Preventive | |
| Verify the /etc/securit/audit/events file is owned by an appropriate user or group. CC ID 05328 | Configuration | Preventive | |
| Verify the /etc/security/audit/objects file is owned by an appropriate user or group. CC ID 05329 | Configuration | Preventive | |
| Verify the /usr/lib/trcload file is owned by an appropriate user or group. CC ID 05330 | Configuration | Preventive | |
| Verify the /usr/lib/semutil file is owned by an appropriate user or group. CC ID 05331 | Configuration | Preventive | |
| Verify system files are owned by an appropriate user or group. CC ID 05332 | Configuration | Preventive | |
| Verify the default/skeleton dot files are owned by an appropriate user or group. CC ID 05333 | Configuration | Preventive | |
| Verify the global initialization files are owned by an appropriate user or group. CC ID 05334 | Configuration | Preventive | |
| Verify the /etc/rc.config.d/auditing file is owned by an appropriate user or group. CC ID 05335 | Configuration | Preventive | |
| Verify the /etc/init.d file is owned by an appropriate user or group. CC ID 05336 | Configuration | Preventive | |
| Verify the /etc/hosts.lpd file is owned by an appropriate user or group. CC ID 05337 | Configuration | Preventive | |
| Verify the /etc/auto.master file is owned by an appropriate user or group. CC ID 05338 | Configuration | Preventive | |
| Verify the /etc/auto.misc file is owned by an appropriate user or group. CC ID 05339 | Configuration | Preventive | |
| Verify the /etc/auto.net file is owned by an appropriate user or group. CC ID 05340 | Configuration | Preventive | |
| Verify the boot/grub/grub.conf file is owned by an appropriate user or group. CC ID 05341 | Configuration | Preventive | |
| Verify the /etc/lilo.conf file is owned by an appropriate user or group. CC ID 05342 | Configuration | Preventive | |
| Verify the /etc/login.access file is owned by an appropriate user or group. CC ID 05343 | Configuration | Preventive | |
| Verify the /etc/security/access.conf file is owned by an appropriate user or group. CC ID 05344 | Configuration | Preventive | |
| Verify the /etc/sysctl.conf file is owned by an appropriate user or group. CC ID 05345 | Configuration | Preventive | |
| Configure the "secure_redirects" setting to organizational standards. CC ID 09941 | Configuration | Preventive | |
| Configure the "icmp_ignore_bogus_error_responses" setting to organizational standards. CC ID 09942 | Configuration | Preventive | |
| Configure the "rp_filter" setting to organizational standards. CC ID 09943 | Configuration | Preventive | |
| Verify the /etc/securetty file is owned by an appropriate user or group. CC ID 05346 | Configuration | Preventive | |
| Verify the /etc/audit/auditd.conf file is owned by an appropriate user or group. CC ID 05347 | Configuration | Preventive | |
| Verify the audit.rules file is owned by an appropriate user or group. CC ID 05348 | Configuration | Preventive | |
| Verify the /etc/group file is owned by an appropriate user or group. CC ID 05349 | Configuration | Preventive | |
| Verify the /etc/gshadow file is owned by an appropriate user or group. CC ID 05350 | Configuration | Preventive | |
| Verify the /usr/sbin/userhelper file is owned by an appropriate user or group. CC ID 05351 | Configuration | Preventive | |
| Verify all syslog log files are owned by an appropriate user or group. CC ID 05352 | Configuration | Preventive | |
| Verify the /etc/anacrontab file is owned by an appropriate user or group. CC ID 05353 | Configuration | Preventive | |
| Verify the /etc/pki/tls/ldap file is owned by an appropriate user or group. CC ID 05354 | Configuration | Preventive | |
| Verify the /etc/pki/tls/ldap/serverkey.pem file is owned by an appropriate user or group. CC ID 05355 | Configuration | Preventive | |
| Verify the /etc/pki/tls/CA/cacert.pem file is owned by an appropriate user or group. CC ID 05356 | Configuration | Preventive | |
| Verify the /etc/pki/tls/ldap/servercert.pem file is owned by an appropriate user or group. CC ID 05357 | Configuration | Preventive | |
| Verify the var/lib/ldap/* files are owned by an appropriate user or group. CC ID 05358 | Configuration | Preventive | |
| Verify the /etc/httpd/conf/* files are owned by an appropriate user or group. CC ID 05359 | Configuration | Preventive | |
| Verify the /etc/auto_* file is owned by an appropriate user. CC ID 05360 | Configuration | Preventive | |
| Verify the /etc/rmmount.conf file is owned by an appropriate user or group. CC ID 05361 | Configuration | Preventive | |
| Verify the /var/log/pamlog log is owned by an appropriate user or group. CC ID 05362 | Configuration | Preventive | |
| Verify the /etc/security/audit_control file is owned by an appropriate user or group. CC ID 05363 | Configuration | Preventive | |
| Verify the /etc/security/audit_class file is owned by an appropriate user or group. CC ID 05364 | Configuration | Preventive | |
| Verify the /etc/security/audit_event file is owned by an appropriate user or group. CC ID 05365 | Configuration | Preventive | |
| Verify the ASET userlist file is owned by an appropriate user or group. CC ID 05366 | Configuration | Preventive | |
| Verify the /var directory is owned by an appropriate user. CC ID 05367 | Configuration | Preventive | |
| Verify the /var/log directory is owned by an appropriate user. CC ID 05368 | Configuration | Preventive | |
| Verify the /var/adm directory is owned by an appropriate user. CC ID 05369 | Configuration | Preventive | |
| Restrict the debug level daemon logging file owner and daemon debug group owner. CC ID 05370 | Configuration | Preventive | |
| Restrict the Cron log file owner and Cron group owner. CC ID 05371 | Configuration | Preventive | |
| Restrict the system accounting file owner and system accounting group owner. CC ID 05372 | Configuration | Preventive | |
| Restrict audit log file ownership and audit group ownership. CC ID 05373 | Configuration | Preventive | |
| Set the X server timeout properly. CC ID 05374 | Configuration | Preventive | |
| Configure each user's authentication mechanism (system attribute) properly. CC ID 05375 | Configuration | Preventive | |
| Enable or disable SeLinux, as appropriate. CC ID 05376 | Configuration | Preventive | |
| Set the SELinux state properly. CC ID 05377 | Configuration | Preventive | |
| Set the SELinux policy properly. CC ID 05378 | Configuration | Preventive | |
| Configure Dovecot properly. CC ID 05379 | Configuration | Preventive | |
| Configure the "Prohibit Access of the Windows Connect Now Wizards" setting. CC ID 05380 | Configuration | Preventive | |
| Configure the "Allow remote access to the PnP interface" setting. CC ID 05381 | Configuration | Preventive | |
| Configure the "Do not create system restore point when new device driver installed" setting. CC ID 05382 | Configuration | Preventive | |
| Configure the "Turn Off Access to All Windows Update Feature" setting. CC ID 05383 | Configuration | Preventive | |
| Configure the "Turn Off Automatic Root Certificates Update" setting. CC ID 05384 | Configuration | Preventive | |
| Configure the "Turn Off Event Views 'Events.asp' Links" setting. CC ID 05385 | Configuration | Preventive | |
| Configure "Turn Off Handwriting Recognition Error Reporting" to organizational standards. CC ID 05386 | Configuration | Preventive | |
| Configure the "Turn off Help and Support Center 'Did You Know?' content" setting. CC ID 05387 | Configuration | Preventive | |
| Configure the "Turn Off Help and Support Center Microsoft Knowledge Base Search" setting. CC ID 05388 | Configuration | Preventive | |
| Configure the "Turn Off Internet File Association Service" setting. CC ID 05389 | Configuration | Preventive | |
| Configure the "Turn Off Registration if URL Connection is Referring to Microsoft.com" setting. CC ID 05390 | Configuration | Preventive | |
| Configure the "Turn off the 'Order Prints' Picture task" setting. CC ID 05391 | Configuration | Preventive | |
| Configure the "Turn Off Windows Movie Maker Online Web Links" setting. CC ID 05392 | Configuration | Preventive | |
| Configure the "Turn Off Windows Movie Maker Saving to Online Video Hosting Provider" setting. CC ID 05393 | Configuration | Preventive | |
| Configure the "Don't Display the Getting Started Welcome Screen at Logon" setting. CC ID 05394 | Configuration | Preventive | |
| Configure the "Turn off Windows Startup Sound" setting. CC ID 05395 | Configuration | Preventive | |
| Configure the "Allow only Vista or later connections" setting. CC ID 05396 | Configuration | Preventive | |
| Configure the "Turn on bandwidth optimization" setting. CC ID 05397 | Configuration | Preventive | |
| Configure the "Prevent IIS Installation" setting. CC ID 05398 | Configuration | Preventive | |
| Configure the "Turn off Active Help" setting. CC ID 05399 | Configuration | Preventive | |
| Configure the "Turn off Untrusted Content" setting. CC ID 05400 | Configuration | Preventive | |
| Configure the "Turn off downloading of enclosures" setting. CC ID 05401 | Configuration | Preventive | |
| Configure "Allow indexing of encrypted files" to organizational standards. CC ID 05402 | Configuration | Preventive | |
| Configure the "Prevent indexing uncached Exchange folders" setting. CC ID 05403 | Configuration | Preventive | |
| Configure the "Turn off Windows Calendar" setting. CC ID 05404 | Configuration | Preventive | |
| Configure the "Turn off Windows Defender" setting. CC ID 05405 | Configuration | Preventive | |
| Configure the "Turn off Heap termination on corruption" setting to organizational standards. CC ID 05406 | Configuration | Preventive | |
| Configure the "Turn off shell protocol protected mode" setting to organizational standards. CC ID 05407 | Configuration | Preventive | |
| Configure the "Prohibit non-administrators from applying vendor signed updates" setting. CC ID 05408 | Configuration | Preventive | |
| Configure the "Report when logon server was not available during user logon" setting. CC ID 05409 | Configuration | Preventive | |
| Configure the "Turn off the communication features" setting. CC ID 05410 | Configuration | Preventive | |
| Configure the "Turn off Windows Mail application" setting. CC ID 05411 | Configuration | Preventive | |
| Configure the "Prevent Windows Media DRM Internet Access" setting. CC ID 05412 | Configuration | Preventive | |
| Configure the "Turn off Windows Meeting Space" setting. CC ID 05413 | Configuration | Preventive | |
| Configure the "Turn on Windows Meeting Space auditing" setting. CC ID 05414 | Configuration | Preventive | |
| Configure the "Disable unpacking and installation of gadgets that are not digitally signed" setting. CC ID 05415 | Configuration | Preventive | |
| Configure the "Override the More Gadgets Link" setting. CC ID 05416 | Configuration | Preventive | |
| Configure the "Turn Off User Installed Windows Sidebar Gadgets" setting. CC ID 05417 | Configuration | Preventive | |
| Configure the "Do not allow Digital Locker to run" setting. CC ID 05418 | Configuration | Preventive | |
| Configure the "Turn off Downloading of Game Information" setting. CC ID 05419 | Configuration | Preventive | |
| Configure "Turn on Responder (RSPNDR) driver" to organizational standards. CC ID 05420 | Configuration | Preventive | |
| Verify ExecShield has been randomly placed in Virtual Memory regions. CC ID 05436 | Configuration | Preventive | |
| Enable the ExecShield, as appropriate. CC ID 05421 | Configuration | Preventive | |
| Configure Kernel support for the XD/NX processor feature, as appropriate. CC ID 05422 | Configuration | Preventive | |
| Configure the XD/NX processor feature in the BIOS, as appropriate. CC ID 05423 | Configuration | Preventive | |
| Configure the Shell for the bin account properly. CC ID 05424 | Configuration | Preventive | |
| Configure the Shell for the nuucp account properly. CC ID 05425 | Configuration | Preventive | |
| Configure the Shell for the smmsp account properly. CC ID 05426 | Configuration | Preventive | |
| Configure the Shell for the listen account properly. CC ID 05427 | Configuration | Preventive | |
| Configure the Shell for the gdm account properly. CC ID 05428 | Configuration | Preventive | |
| Configure the Shell for the webservd account properly. CC ID 05429 | Configuration | Preventive | |
| Configure the Shell for the nobody account properly. CC ID 05430 | Configuration | Preventive | |
| Configure the Shell for the noaccess account properly. CC ID 05431 | Configuration | Preventive | |
| Configure the Shell for the nobody4 account properly. CC ID 05432 | Configuration | Preventive | |
| Configure the Shell for the adm account properly. CC ID 05433 | Configuration | Preventive | |
| Configure the Shell for the lp account properly. CC ID 05434 | Configuration | Preventive | |
| Configure the Shell for the uucp account properly. CC ID 05435 | Configuration | Preventive | |
| Set the noexec_user_stack parameter properly. CC ID 05437 | Configuration | Preventive | |
| Set the no_exec_user_stack_log parameter properly. CC ID 05438 | Configuration | Preventive | |
| Set the noexec_user_stack flag on the user stack properly. CC ID 05439 | Configuration | Preventive | |
| Set the TCP max connection limit properly. CC ID 05440 | Configuration | Preventive | |
| Set the TCP abort interval properly. CC ID 05441 | Configuration | Preventive | |
| Enable or disable the GNOME screenlock, as appropriate. CC ID 05442 | Configuration | Preventive | |
| Set the ARP cache cleanup interval properly. CC ID 05443 | Configuration | Preventive | |
| Set the ARP IRE scan rate properly. CC ID 05444 | Configuration | Preventive | |
| Disable proxy ARP on all interfaces. CC ID 06570 | Configuration | Preventive | |
| Set the FileSpaceSwitch variable to an appropriate value. CC ID 05445 | Configuration | Preventive | |
| Set the wakeup switchpoint frequency to an appropriate time interval. CC ID 05446 | Configuration | Preventive | |
| Enable or disable the setuid option on removable storage media, as appropriate. CC ID 05447 | Configuration | Preventive | |
| Configure TCP/IP PMTU Discovery, as appropriate. CC ID 05991 | Configuration | Preventive | |
| Configure Secure Shell to enable or disable empty passwords, as appropriate. CC ID 06016 | Configuration | Preventive | |
| Configure each user's Screen Saver Executable Name. CC ID 06027 | Configuration | Preventive | |
| Configure the NIS+ server to operate at an appropriate security level. CC ID 06038 | Configuration | Preventive | |
| Configure the "restrict guest access to system log" policy, as appropriate. CC ID 06047 | Configuration | Preventive | |
| Configure the "Block saving of Open XML file types" setting, as appropriate. CC ID 06048 | Configuration | Preventive | |
| Enable or disable user-initiated system crashes via the CTRL+SCROLL LOCK+SCROLL LOCK sequence for keyboards. CC ID 06051 | Configuration | Preventive | |
| Configure the "Syskey mode" to organizational standards. CC ID 06052 | Configuration | Preventive | |
| Configure the Trusted Platform Module (TPM) platform validation profile, as appropriate. CC ID 06056 | Configuration | Preventive | |
| Configure the "Allow Remote Shell Access" setting, as appropriate. CC ID 06057 | Configuration | Preventive | |
| Configure the "Prevent the computer from joining a homegroup" setting, as appropriate. CC ID 06058 | Configuration | Preventive | |
| Enable or disable the authenticator requirement after waking, as appropriate. CC ID 06059 | Configuration | Preventive | |
| Enable or disable the standby states, as appropriate. CC ID 06060 | Configuration | Preventive | |
| Configure the Trusted Platform Module startup options properly. CC ID 06061 | Configuration | Preventive | |
| Configure the system to purge Policy Caches. CC ID 06569 | Configuration | Preventive | |
| Separate authenticator files and application system data on different file systems. CC ID 06790 | Configuration | Preventive | |
| Configure Application Programming Interfaces to limit or shut down interactivity based upon a rate limit. CC ID 06811 | Configuration | Preventive | |
| Configure the "all world-writable directories" user ownership to organizational standards. CC ID 08714 | Establish/Maintain Documentation | Preventive | |
| Configure the "all rsyslog log" files group ownership to organizational standards. CC ID 08715 | Establish/Maintain Documentation | Preventive | |
| Configure the "all rsyslog log" files user ownership to organizational standards. CC ID 08716 | Establish/Maintain Documentation | Preventive | |
| Configure the "Executable stack" setting to organizational standards. CC ID 08969 | Configuration | Preventive | |
| Configure the "smbpasswd executable" user ownership to organizational standards. CC ID 08975 | Configuration | Preventive | |
| Configure the "traceroute executable" group ownership to organizational standards. CC ID 08980 | Configuration | Preventive | |
| Configure the "traceroute executable" user ownership to organizational standards. CC ID 08981 | Configuration | Preventive | |
| Configure the "Apache configuration" directory group ownership to organizational standards. CC ID 08991 | Configuration | Preventive | |
| Configure the "Apache configuration" directory user ownership to organizational standards. CC ID 08992 | Configuration | Preventive | |
| Configure the "/var/log/httpd/" file group ownership to organizational standards. CC ID 09027 | Configuration | Preventive | |
| Configure the "/etc/httpd/conf.d" file group ownership to organizational standards. CC ID 09028 | Configuration | Preventive | |
| Configure the "/etc/httpd/conf/passwd" file group ownership to organizational standards. CC ID 09029 | Configuration | Preventive | |
| Configure the "/usr/sbin/apachectl" file group ownership to organizational standards. CC ID 09030 | Configuration | Preventive | |
| Configure the "/usr/sbin/httpd" file group ownership to organizational standards. CC ID 09031 | Configuration | Preventive | |
| Configure the "/var/www/html" file group ownership to organizational standards. CC ID 09032 | Configuration | Preventive | |
| Configure the "log files" the "/var/log/httpd/" directory user ownership to organizational standards. CC ID 09034 | Configuration | Preventive | |
| Configure the "/etc/httpd/conf.d" file ownership to organizational standards. CC ID 09035 | Configuration | Preventive | |
| Configure the "/etc/httpd/conf/passwd" file ownership to organizational standards. CC ID 09036 | Configuration | Preventive | |
| Configure the "/usr/sbin/apachectl" file ownership to organizational standards. CC ID 09037 | Configuration | Preventive | |
| Configure the "/usr/sbin/httpd" file ownership to organizational standards. CC ID 09038 | Configuration | Preventive | |
| Configure the "/var/www/html" file ownership to organizational standards. CC ID 09039 | Configuration | Preventive | |
| Configure the "httpd.conf" file user ownership to organizational standards. CC ID 09055 | Configuration | Preventive | |
| Configure the "httpd.conf" group ownership to organizational standards. CC ID 09056 | Configuration | Preventive | |
| Configure the "htpasswd" file user ownership to organizational standards. CC ID 09058 | Configuration | Preventive | |
| Configure the "htpasswd" file group ownership to organizational standards. CC ID 09059 | Configuration | Preventive | |
| Configure the "files specified by CustomLog" user ownership to organizational standards. CC ID 09074 | Configuration | Preventive | |
| Configure the "files specified by CustomLog" group ownership to organizational standards. CC ID 09075 | Configuration | Preventive | |
| Configure the "files specified by ErrorLog" user ownership to organizational standards. CC ID 09076 | Configuration | Preventive | |
| Configure the "files specified by ErrorLog" group ownership to organizational standards. CC ID 09077 | Configuration | Preventive | |
| Configure the "directories specified by ScriptAlias" user ownership to organizational standards. CC ID 09079 | Configuration | Preventive | |
| Configure the "directories specified by ScriptAlias" group ownership to organizational standards. CC ID 09080 | Configuration | Preventive | |
| Configure the "directories specified by ScriptAliasMatch" user ownership to organizational standards. CC ID 09082 | Configuration | Preventive | |
| Configure the "directories specified by ScriptAliasMatch" group ownership to organizational standards. CC ID 09083 | Configuration | Preventive | |
| Configure the "directories specified by DocumentRoot" user ownership to organizational standards. CC ID 09085 | Configuration | Preventive | |
| Configure the "directories specified by DocumentRoot" group ownership to organizational standards. CC ID 09086 | Configuration | Preventive | |
| Configure the "directories specified by Alias" user ownership to organizational standards. CC ID 09088 | Configuration | Preventive | |
| Configure the "directories specified by Alias" group ownership to organizational standards. CC ID 09089 | Configuration | Preventive | |
| Configure the "directories specified by ServerRoot" user ownership to organizational standards. CC ID 09091 | Configuration | Preventive | |
| Configure the "directories specified by ServerRoot" group ownership to organizational standards. CC ID 09092 | Configuration | Preventive | |
| Configure the "apache /bin" directory user ownership to organizational standards. CC ID 09094 | Configuration | Preventive | |
| Configure the "apache /bin" directory group ownership to organizational standards. CC ID 09095 | Configuration | Preventive | |
| Configure the "apache /logs" directory user ownership to organizational standards. CC ID 09097 | Configuration | Preventive | |
| Configure the "apache /logs" directory group ownership to organizational standards. CC ID 09098 | Configuration | Preventive | |
| Configure the "apache /htdocs" directory user ownership to organizational standards. CC ID 09100 | Configuration | Preventive | |
| Configure the "apache /htdocs" directory group ownership to organizational standards. CC ID 09101 | Configuration | Preventive | |
| Configure the "apache /cgi-bin" directory group ownership to organizational standards. CC ID 09104 | Configuration | Preventive | |
| Configure the "User-specific directories" setting to organizational standards. CC ID 09123 | Configuration | Preventive | |
| Configure the "apache process ID" file user ownership to organizational standards. CC ID 09125 | Configuration | Preventive | |
| Configure the "apache process ID" file group ownership to organizational standards. CC ID 09126 | Configuration | Preventive | |
| Configure the "apache scoreboard" file user ownership to organizational standards. CC ID 09128 | Configuration | Preventive | |
| Configure the "apache scoreboard" file group ownership to organizational standards. CC ID 09129 | Configuration | Preventive | |
| Configure the "Ownership of the asymmetric keys" setting to organizational standards. CC ID 09289 | Configuration | Preventive | |
| Configure the "SQLServer2005ReportServerUser" registry key permissions to organizational standards. CC ID 09326 | Configuration | Preventive | |
| Configure the "SQLServerADHelperUser" registry key permissions to organizational standards. CC ID 09329 | Configuration | Preventive | |
| Configure the "Tomcat home" directory user ownership to organizational standards. CC ID 09772 | Configuration | Preventive | |
| Configure the "group" setting for the "Tomcat installation" to organizational standards. CC ID 09773 | Configuration | Preventive | |
| Configure the "tomcat conf/" directory user ownership to organizational standards. CC ID 09774 | Configuration | Preventive | |
| Configure the "tomcat conf/" directory group ownership to organizational standards. CC ID 09775 | Configuration | Preventive | |
| Configure the "tomcat-users.xml" file user ownership to organizational standards. CC ID 09776 | Configuration | Preventive | |
| Configure the "tomcat-users.xml" file group ownership to organizational standards. CC ID 09777 | Configuration | Preventive | |
| Configure the "group membership" setting for "Tomcat" to organizational standards. CC ID 09793 | Configuration | Preventive | |
| Configure the "Tomcat home" directory group ownership to organizational standards. CC ID 09798 | Configuration | Preventive | |
| Configure the "Tomcat home/conf/" directory user ownership to organizational standards. CC ID 09800 | Configuration | Preventive | |
| Configure the "Tomcat home/conf/" directory group ownership to organizational standards. CC ID 09801 | Configuration | Preventive | |
| Configure the "system" files permissions to organizational standards. CC ID 09922 | Configuration | Preventive | |
| Configure the "size limit" setting for the "application log" to organizational standards. CC ID 10063 | Configuration | Preventive | |
| Configure the "restrict guest access to security log" setting to organizational standards. CC ID 10064 | Configuration | Preventive | |
| Configure the "size limit" setting for the "system log" to organizational standards. CC ID 10065 | Configuration | Preventive | |
| Configure the "Automatic Update service" setting to organizational standards. CC ID 10066 | Configuration | Preventive | |
| Configure the "Safe DLL Search Mode" setting to organizational standards. CC ID 10067 | Configuration | Preventive | |
| Configure the "screensaver" setting to organizational standards. CC ID 10068 | Configuration | Preventive | |
| Configure the "screensaver" setting for the "default" user to organizational standards. CC ID 10069 | Configuration | Preventive | |
| Configure the "Enable User Control Over Installs" setting to organizational standards. CC ID 10070 | Configuration | Preventive | |
| Configure the "Enable User to Browser for Source While Elevated" setting to organizational standards. CC ID 10071 | Configuration | Preventive | |
| Configure the "Enable User to Use Media Source While Elevated" setting to organizational standards. CC ID 10072 | Configuration | Preventive | |
| Configure the "Allow Administrator to Install from Terminal Services Session" setting to organizational standards. CC ID 10073 | Configuration | Preventive | |
| Configure the "Enable User to Patch Elevated Products" setting to organizational standards. CC ID 10074 | Configuration | Preventive | |
| Configure the "Cache Transforms in Secure Location" setting to organizational standards. CC ID 10075 | Configuration | Preventive | |
| Configure the "Disable Media Player for automatic updates" setting to organizational standards. CC ID 10076 | Configuration | Preventive | |
| Configure the "Internet access for Windows Messenger" setting to organizational standards. CC ID 10077 | Configuration | Preventive | |
| Configure the "Do Not Automatically Start Windows Messenger" setting to organizational standards. CC ID 10078 | Configuration | Preventive | |
| Configure the "Hide Property Pages" setting for the "task scheduler" to organizational standards. CC ID 10079 | Configuration | Preventive | |
| Configure the "Prohibit New Task Creation" setting for the "task scheduler" to organizational standards. CC ID 10080 | Configuration | Preventive | |
| Configure "Set time limit for disconnected sessions" to organizational standards. CC ID 10081 | Configuration | Preventive | |
| Configure the "Set time limit for idle sessions" setting to organizational standards. CC ID 10082 | Configuration | Preventive | |
| Configure the "Enable Keep-Alive Messages" setting to organizational standards. CC ID 10083 | Configuration | Preventive | |
| Configure the "Automatic Updates detection frequency" setting to organizational standards. CC ID 10084 | Configuration | Preventive | |
| Configure the "TCPMaxPortsExhausted" setting to organizational standards. CC ID 10085 | Configuration | Preventive | |
| Configure the "built-in Administrator" account to organizational standards. CC ID 10086 | Configuration | Preventive | |
| Configure the "Prevent System Maintenance of Computer Account Password" setting to organizational standards. CC ID 10087 | Configuration | Preventive | |
| Configure the "Digitally Sign Client Communication (When Possible)" setting to organizational standards. CC ID 10088 | Configuration | Preventive | |
| Configure the "number of SYN-ACK retransmissions sent when attempting to respond to a SYN request" setting to organizational standards. CC ID 10089 | Configuration | Preventive | |
| Configure the "warning level" setting for the "audit log" to organizational standards. CC ID 10090 | Configuration | Preventive | |
| Configure the "Change Password" setting for the "Ctrl+Alt+Del dialog" to organizational standards. CC ID 10091 | Configuration | Preventive | |
| Configure the "account description" setting for the "built-in Administrator" account to organizational standards. CC ID 10092 | Configuration | Preventive | |
| Configure the "Decoy Admin Account Not Disabled" setting to organizational standards. CC ID 10201 | Configuration | Preventive | |
| Configure the "when maximum log size is reached" setting for the "Application log" to organizational standards. CC ID 10202 | Configuration | Preventive | |
| Configure the "password filtering DLL" setting to organizational standards. CC ID 10203 | Configuration | Preventive | |
| Configure the "Anonymous access to the registry" setting to organizational standards. CC ID 10204 | Configuration | Preventive | |
| Configure the "Automatic Execution" setting for the "System Debugger" to organizational standards. CC ID 10205 | Configuration | Preventive | |
| Configure the "CD-ROM Autorun" setting to organizational standards. CC ID 10206 | Configuration | Preventive | |
| Configure the "ResetBrowser Frames" setting to organizational standards. CC ID 10207 | Configuration | Preventive | |
| Configure the "Dr. Watson Crash Dumps" setting to organizational standards. CC ID 10208 | Configuration | Preventive | |
| Configure the "File System Checker and Popups" setting to organizational standards. CC ID 10209 | Configuration | Preventive | |
| Configure the "System File Checker" setting to organizational standards. CC ID 10210 | Configuration | Preventive | |
| Configure the "System File Checker Progress Meter" setting to organizational standards. CC ID 10211 | Configuration | Preventive | |
| Configure the "number of TCP/IP Maximum Half-open Sockets" setting to organizational standards. CC ID 10212 | Configuration | Preventive | |
| Configure the "number of TCP/IP Maximum Retried Half-open Sockets" setting to organizational standards. CC ID 10213 | Configuration | Preventive | |
| Configure the "Protect Kernel object attributes" setting to organizational standards. CC ID 10214 | Configuration | Preventive | |
| Configure the "Unsigned Non-Driver Installation Behavior" setting to organizational standards. CC ID 10215 | Configuration | Preventive | |
| Configure the "Automatically Log Off Users When Logon Time Expires (local)" setting to organizational standards. CC ID 10216 | Configuration | Preventive | |
| Configure the "Local volumes" setting to organizational standards. CC ID 10217 | Configuration | Preventive | |
| Configure the "Unused USB Ports" setting to organizational standards. CC ID 10218 | Configuration | Preventive | |
| Configure the "Set Safe for Scripting" setting to organizational standards. CC ID 10219 | Configuration | Preventive | |
| Configure the "Use of the Recycle Bin on file deletion" setting to organizational standards. CC ID 10220 | Configuration | Preventive | |
| Configure the "Membership in the Power Users group" setting to organizational standards. CC ID 10224 | Configuration | Preventive | |
| Configure the "AutoBackupLogFiles" setting for the "security log" to organizational standards. CC ID 10225 | Configuration | Preventive | |
| Configure the "AutoBackupLogFiles" setting for the "application log" to organizational standards. CC ID 10226 | Configuration | Preventive | |
| Configure the "AutoBackupLogFiles" setting for the "system log" to organizational standards. CC ID 10227 | Configuration | Preventive | |
| Configure the "Syskey Encryption Key location and password method" setting to organizational standards. CC ID 10228 | Configuration | Preventive | |
| Configure the "Os2LibPath environmental variable" setting to organizational standards. CC ID 10229 | Configuration | Preventive | |
| Configure the "path to the Microsoft OS/2 version 1.x library" setting to organizational standards. CC ID 10230 | Configuration | Preventive | |
| Configure the "location of the OS/2 subsystem" setting to organizational standards. CC ID 10231 | Configuration | Preventive | |
| Configure the "location of the POSIX subsystem" setting to organizational standards. CC ID 10232 | Configuration | Preventive | |
| Configure the "path to the debugger used for Just-In-Time debugging" setting to organizational standards. CC ID 10234 | Configuration | Preventive | |
| Configure the "Distributed Component Object Model (DCOM)" setting to organizational standards. CC ID 10235 | Configuration | Preventive | |
| Configure the "The "encryption algorithm" setting for "EFS"" setting to organizational standards. CC ID 10236 | Configuration | Preventive | |
| Configure the "Interix Subsystem Startup service startup type" setting to organizational standards. CC ID 10238 | Configuration | Preventive | |
| Configure the "Services for Unix Perl Socket service startup type" setting to organizational standards. CC ID 10247 | Configuration | Preventive | |
| Configure the "Services for Unix Windows Cron service startup type" setting to organizational standards. CC ID 10248 | Configuration | Preventive | |
| Configure the "fDisableCdm" setting to organizational standards. CC ID 10259 | Configuration | Preventive | |
| Configure the "fDisableClip" setting to organizational standards. CC ID 10260 | Configuration | Preventive | |
| Configure the "Inheritance of the shadow setting" setting to organizational standards. CC ID 10261 | Configuration | Preventive | |
| Configure the "remote control configuration" setting to organizational standards. CC ID 10262 | Configuration | Preventive | |
| Configure the "fDisableCam" setting to organizational standards. CC ID 10263 | Configuration | Preventive | |
| Configure the "fDisableCcm" setting to organizational standards. CC ID 10264 | Configuration | Preventive | |
| Configure the "fDisableLPT" setting to organizational standards. CC ID 10265 | Configuration | Preventive | |
| Configure the "ActiveX installation policy for sites in Trusted zones" setting to organizational standards. CC ID 10691 | Configuration | Preventive | |
| Configure the "Add the Administrators security group to roaming user profiles" setting to organizational standards. CC ID 10694 | Configuration | Preventive | |
| Configure the "Administratively assigned offline files" setting to organizational standards. CC ID 10695 | Configuration | Preventive | |
| Configure the "Apply policy to removable media" setting to organizational standards. CC ID 10756 | Configuration | Preventive | |
| Configure the "Baseline file cache maximum size" setting to organizational standards. CC ID 10763 | Configuration | Preventive | |
| Configure the "Check for New Signatures Before Scheduled Scans" setting to organizational standards. CC ID 10770 | Configuration | Preventive | |
| Configure the "Check published state" setting to organizational standards. CC ID 10771 | Configuration | Preventive | |
| Configure the "Communities" setting to organizational standards. CC ID 10772 | Configuration | Preventive | |
| Configure the "Computer location" setting to organizational standards. CC ID 10773 | Configuration | Preventive | |
| Configure the "Background Sync" setting to organizational standards. CC ID 10775 | Configuration | Preventive | |
| Configure the "Corporate Windows Error Reporting" setting to organizational standards. CC ID 10777 | Configuration | Preventive | |
| Configure the "Corrupted File Recovery Behavior" setting to organizational standards. CC ID 10778 | Configuration | Preventive | |
| Configure the "Default consent" setting to organizational standards. CC ID 10780 | Configuration | Preventive | |
| Configure the "list of IEEE 1667 silos usable on your computer" setting to organizational standards. CC ID 10792 | Configuration | Preventive | |
| Configure the "Microsoft SpyNet Reporting" setting to organizational standards. CC ID 10794 | Configuration | Preventive | |
| Configure the "MSI Corrupted File Recovery Behavior" setting to organizational standards. CC ID 10795 | Configuration | Preventive | |
| Configure the "Reliability WMI Providers" setting to organizational standards. CC ID 10804 | Configuration | Preventive | |
| Configure the "Report Archive" setting to organizational standards. CC ID 10805 | Configuration | Preventive | |
| Configure the "Report Queue" setting to organizational standards. CC ID 10806 | Configuration | Preventive | |
| Configure the "root certificate clean up" setting to organizational standards. CC ID 10807 | Configuration | Preventive | |
| Configure the "Security Policy for Scripted Diagnostics" setting to organizational standards. CC ID 10816 | Configuration | Preventive | |
| Configure the "list of blocked TPM commands" setting to organizational standards. CC ID 10822 | Configuration | Preventive | |
| Configure the "refresh interval for Server Manager" setting to organizational standards. CC ID 10823 | Configuration | Preventive | |
| Configure the "server address, refresh interval, and issuer certificate authority of a target Subscription Manager" setting to organizational standards. CC ID 10824 | Configuration | Preventive | |
| Configure the "Customize consent settings" setting to organizational standards. CC ID 10837 | Configuration | Preventive | |
| Configure the "Default behavior for AutoRun" setting to organizational standards. CC ID 10839 | Configuration | Preventive | |
| Configure the "Define Activation Security Check exemptions" setting to organizational standards. CC ID 10841 | Configuration | Preventive | |
| Configure the "Define host name-to-Kerberos realm mappings" setting to organizational standards. CC ID 10842 | Configuration | Preventive | |
| Configure the "Define interoperable Kerberos V5 realm settings" setting to organizational standards. CC ID 10843 | Configuration | Preventive | |
| Configure the "Delay Restart for scheduled installations" setting to organizational standards. CC ID 10844 | Configuration | Preventive | |
| Configure the "Delete cached copies of roaming profiles" setting to organizational standards. CC ID 10845 | Configuration | Preventive | |
| Configure the "Delete user profiles older than a specified number of days on system restart" setting to organizational standards. CC ID 10847 | Configuration | Preventive | |
| Configure the "Diagnostics: Configure scenario retention" setting to organizational standards. CC ID 10857 | Configuration | Preventive | |
| Configure the "Directory pruning interval" setting to organizational standards. CC ID 10858 | Configuration | Preventive | |
| Configure the "Directory pruning priority" setting to organizational standards. CC ID 10859 | Configuration | Preventive | |
| Configure the "Directory pruning retry" setting to organizational standards. CC ID 10860 | Configuration | Preventive | |
| Configure the "Disk Diagnostic: Configure custom alert text" setting to organizational standards. CC ID 10882 | Configuration | Preventive | |
| Configure the "Display Shutdown Event Tracker" setting to organizational standards. CC ID 10888 | Configuration | Preventive | |
| Configure the "Display string when smart card is blocked" setting to organizational standards. CC ID 10889 | Configuration | Preventive | |
| Configure the "Do not automatically encrypt files moved to encrypted folders" setting to organizational standards. CC ID 10924 | Configuration | Preventive | |
| Configure the "Do not check for user ownership of Roaming Profile Folders" setting to organizational standards. CC ID 10925 | Configuration | Preventive | |
| Configure the "Do not process incoming mailslot messages used for domain controller location based on NetBIOS domain names" setting to organizational standards. CC ID 10932 | Configuration | Preventive | |
| Configure the "Do not send additional data" machine setting should be configured correctly. to organizational standards. CC ID 10934 | Configuration | Preventive | |
| Configure the "Domain Controller Address Type Returned" setting to organizational standards. CC ID 10939 | Configuration | Preventive | |
| Configure the "Domain Location Determination URL" setting to organizational standards. CC ID 10940 | Configuration | Preventive | |
| Configure the "Don't set the always do this checkbox" setting to organizational standards. CC ID 10941 | Configuration | Preventive | |
| Configure the "Download missing COM components" setting to organizational standards. CC ID 10942 | Configuration | Preventive | |
| Configure the "Dynamic Update" setting to organizational standards. CC ID 10944 | Configuration | Preventive | |
| Configure the "Enable client-side targeting" setting to organizational standards. CC ID 10946 | Configuration | Preventive | |
| Configure the "Enable NTFS pagefile encryption" setting to organizational standards. CC ID 10948 | Configuration | Preventive | |
| Configure the "Enable Persistent Time Stamp" setting to organizational standards. CC ID 10949 | Configuration | Preventive | |
| Configure the "Enable Transparent Caching" setting to organizational standards. CC ID 10950 | Configuration | Preventive | |
| Configure the "Enable Windows NTP Client" setting to organizational standards. CC ID 10951 | Configuration | Preventive | |
| Configure the "Enable Windows NTP Server" setting to organizational standards. CC ID 10952 | Configuration | Preventive | |
| Configure the "Encrypt the Offline Files cache" setting to organizational standards. CC ID 10955 | Configuration | Preventive | |
| Configure the "Enforce upgrade component rules" setting to organizational standards. CC ID 10958 | Configuration | Preventive | |
| Configure the "Events.asp program" setting to organizational standards. CC ID 10959 | Configuration | Preventive | |
| Configure the "Events.asp program command line parameters" setting to organizational standards. CC ID 10960 | Configuration | Preventive | |
| Configure the "Events.asp URL" setting to organizational standards. CC ID 10961 | Configuration | Preventive | |
| Configure the "Exclude credential providers" setting to organizational standards. CC ID 10962 | Configuration | Preventive | |
| Configure the "Exclude files from being cached" setting to organizational standards. CC ID 10963 | Configuration | Preventive | |
| Configure the "Final DC Discovery Retry Setting for Background Callers" setting to organizational standards. CC ID 10968 | Configuration | Preventive | |
| Configure the "For tablet pen input, don't show the Input Panel icon" setting to organizational standards. CC ID 10973 | Configuration | Preventive | |
| Configure the "For touch input, don't show the Input Panel icon" setting to organizational standards. CC ID 10974 | Configuration | Preventive | |
| Configure the "Force Rediscovery Interval" setting to organizational standards. CC ID 10975 | Configuration | Preventive | |
| Configure the "Force selected system UI language to overwrite the user UI language" setting to organizational standards. CC ID 10976 | Configuration | Preventive | |
| Configure the "Force the reading of all certificates from the smart card" setting to organizational standards. CC ID 10977 | Configuration | Preventive | |
| Configure the "ForwarderResourceUsage" setting to organizational standards. CC ID 10978 | Configuration | Preventive | |
| Configure the "Global Configuration Settings" setting to organizational standards. CC ID 10979 | Configuration | Preventive | |
| Configure the "Hash Publication for BranchCache" setting to organizational standards. CC ID 10986 | Configuration | Preventive | |
| Configure the "Hide entry points for Fast User Switching" setting to organizational standards. CC ID 10987 | Configuration | Preventive | |
| Configure the "Hide notifications about RD Licensing problems that affect the RD Session Host server" setting to organizational standards. CC ID 10988 | Configuration | Preventive | |
| Configure the "Hide previous versions list for local files" setting to organizational standards. CC ID 10989 | Configuration | Preventive | |
| Configure the "Hide previous versions of files on backup location" setting to organizational standards. CC ID 10991 | Configuration | Preventive | |
| Configure the "Ignore custom consent settings" setting to organizational standards. CC ID 10992 | Configuration | Preventive | |
| Configure the "Ignore Delegation Failure" setting to organizational standards. CC ID 10993 | Configuration | Preventive | |
| Configure the "Ignore the default list of blocked TPM commands" setting to organizational standards. CC ID 10994 | Configuration | Preventive | |
| Configure the "Ignore the local list of blocked TPM commands" setting to organizational standards. CC ID 10995 | Configuration | Preventive | |
| Configure the "Include rarely used Chinese, Kanji, or Hanja characters" setting to organizational standards. CC ID 10996 | Configuration | Preventive | |
| Configure the "Initial DC Discovery Retry Setting for Background Callers" setting to organizational standards. CC ID 10997 | Configuration | Preventive | |
| Configure the "IP-HTTPS State" setting to organizational standards. CC ID 11000 | Configuration | Preventive | |
| Configure the "ISATAP Router Name" setting to organizational standards. CC ID 11001 | Configuration | Preventive | |
| Configure the "ISATAP State" setting to organizational standards. CC ID 11002 | Configuration | Preventive | |
| Configure the "License server security group" setting to organizational standards. CC ID 11005 | Configuration | Preventive | |
| Configure the "List of applications to be excluded" setting to organizational standards. CC ID 11023 | Configuration | Preventive | |
| Configure the "Lock Enhanced Storage when the computer is locked" setting to organizational standards. CC ID 11025 | Configuration | Preventive | |
| Configure the "Make Parental Controls control panel visible on a Domain" setting to organizational standards. CC ID 11039 | Configuration | Preventive | |
| Configure the "MaxConcurrentUsers" setting to organizational standards. CC ID 11040 | Configuration | Preventive | |
| Configure the "Maximum DC Discovery Retry Interval Setting for Background Callers" setting to organizational standards. CC ID 11041 | Configuration | Preventive | |
| Configure the "Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with Support Provider" setting to organizational standards. CC ID 11045 | Configuration | Preventive | |
| Configure the "Negative DC Discovery Cache Setting" setting to organizational standards. CC ID 11047 | Configuration | Preventive | |
| Configure the "Non-conforming packets" setting to organizational standards. CC ID 11053 | Configuration | Preventive | |
| Configure the "Notify blocked drivers" setting to organizational standards. CC ID 11054 | Configuration | Preventive | |
| Configure the "Notify user of successful smart card driver installation" setting to organizational standards. CC ID 11055 | Configuration | Preventive | |
| Configure the "Permitted Managers" setting to organizational standards. CC ID 11062 | Configuration | Preventive | |
| Configure the "Positive Periodic DC Cache Refresh for Background Callers" setting to organizational standards. CC ID 11063 | Configuration | Preventive | |
| Configure the "Positive Periodic DC Cache Refresh for Non-Background Callers" setting to organizational standards. CC ID 11064 | Configuration | Preventive | |
| Configure the "Prioritize all digitally signed drivers equally during the driver ranking and selection process" setting to organizational standards. CC ID 11098 | Configuration | Preventive | |
| Configure the "Prompt for credentials on the client computer" setting to organizational standards. CC ID 11108 | Configuration | Preventive | |
| Configure the "Propagation of extended error information" setting to organizational standards. CC ID 11110 | Configuration | Preventive | |
| Configure the "Register PTR Records" setting to organizational standards. CC ID 11121 | Configuration | Preventive | |
| Configure the "Registration Refresh Interval" setting to organizational standards. CC ID 11122 | Configuration | Preventive | |
| Configure the "Remove Program Compatibility Property Page" setting to organizational standards. CC ID 11128 | Configuration | Preventive | |
| Configure the "Remove users ability to invoke machine policy refresh" setting to organizational standards. CC ID 11129 | Configuration | Preventive | |
| Configure the "Remove Windows Security item from Start menu" setting to organizational standards. CC ID 11130 | Configuration | Preventive | |
| Configure the "Re-prompt for restart with scheduled installations" setting to organizational standards. CC ID 11131 | Configuration | Preventive | |
| Configure the "Require secure RPC communication" setting to organizational standards. CC ID 11134 | Configuration | Preventive | |
| Configure the "Require strict KDC validation" setting to organizational standards. CC ID 11135 | Configuration | Preventive | |
| Configure the "Reverse the subject name stored in a certificate when displaying" setting to organizational standards. CC ID 11148 | Configuration | Preventive | |
| Configure the "RPC Troubleshooting State Information" setting to organizational standards. CC ID 11150 | Configuration | Preventive | |
| Configure the "Run shutdown scripts visible" setting to organizational standards. CC ID 11152 | Configuration | Preventive | |
| Configure the "Run startup scripts asynchronously" setting to organizational standards. CC ID 11153 | Configuration | Preventive | |
| Configure the "Run startup scripts visible" setting to organizational standards. CC ID 11154 | Configuration | Preventive | |
| Configure the "Scavenge Interval" setting to organizational standards. CC ID 11158 | Configuration | Preventive | |
| Configure the "Server Authentication Certificate Template" setting to organizational standards. CC ID 11170 | Configuration | Preventive | |
| Configure the "Set BranchCache Distributed Cache mode" setting to organizational standards. CC ID 11172 | Configuration | Preventive | |
| Configure the "Set BranchCache Hosted Cache mode" setting to organizational standards. CC ID 11173 | Configuration | Preventive | |
| Configure the "Set compression algorithm for RDP data" setting to organizational standards. CC ID 11174 | Configuration | Preventive | |
| Configure the "Set percentage of disk space used for client computer cache" setting to organizational standards. CC ID 11177 | Configuration | Preventive | |
| Configure the "Set PNRP cloud to resolve only" setting for "IPv6 Global" to organizational standards. CC ID 11178 | Configuration | Preventive | |
| Configure the "Set PNRP cloud to resolve only" setting for "IPv6 Site Local" to organizational standards. CC ID 11180 | Configuration | Preventive | |
| Configure the "Set the Email IDs to which notifications are to be sent" setting to organizational standards. CC ID 11184 | Configuration | Preventive | |
| Configure the "Set the map update interval for NIS subordinate servers" setting to organizational standards. CC ID 11186 | Configuration | Preventive | |
| Configure the "Set the Seed Server" setting for "IPv6 Global" to organizational standards. CC ID 11189 | Configuration | Preventive | |
| Configure the "Set the Seed Server" setting for "IPv6 Site Local" to organizational standards. CC ID 11191 | Configuration | Preventive | |
| Configure the "Set the SMTP Server used to send notifications" setting to organizational standards. CC ID 11192 | Configuration | Preventive | |
| Configure the "Set timer resolution" setting to organizational standards. CC ID 11196 | Configuration | Preventive | |
| Configure the "Sets how often a DFS Client discovers DC's" setting to organizational standards. CC ID 11199 | Configuration | Preventive | |
| Configure the "Short name creation options" setting to organizational standards. CC ID 11200 | Configuration | Preventive | |
| Configure the "Site Name" setting to organizational standards. CC ID 11201 | Configuration | Preventive | |
| Configure the "Specify a default color" setting to organizational standards. CC ID 11208 | Configuration | Preventive | |
| Configure the "Specify idle Timeout" setting to organizational standards. CC ID 11210 | Configuration | Preventive | |
| Configure the "Specify maximum amount of memory in MB per Shell" setting to organizational standards. CC ID 11211 | Configuration | Preventive | |
| Configure the "Specify maximum number of processes per Shell" setting to organizational standards. CC ID 11212 | Configuration | Preventive | |
| Configure the "Specify Shell Timeout" setting to organizational standards. CC ID 11216 | Configuration | Preventive | |
| Configure the "Specify Windows installation file location" setting to organizational standards. CC ID 11225 | Configuration | Preventive | |
| Configure the "Specify Windows Service Pack installation file location" setting to organizational standards. CC ID 11226 | Configuration | Preventive | |
| Configure the "SSL Cipher Suite Order" setting to organizational standards. CC ID 11227 | Configuration | Preventive | |
| Configure the "Switch to the Simplified Chinese (PRC) gestures" setting to organizational standards. CC ID 11230 | Configuration | Preventive | |
| Configure the "Sysvol share compatibility" setting to organizational standards. CC ID 11231 | Configuration | Preventive | |
| Configure the "Tag Windows Customer Experience Improvement data with Study Identifier" setting to organizational standards. CC ID 11232 | Configuration | Preventive | |
| Configure the "Teredo Client Port" setting to organizational standards. CC ID 11236 | Configuration | Preventive | |
| Configure the "Teredo Default Qualified" setting to organizational standards. CC ID 11237 | Configuration | Preventive | |
| Configure the "Teredo Refresh Rate" setting to organizational standards. CC ID 11238 | Configuration | Preventive | |
| Configure the "Teredo Server Name" setting to organizational standards. CC ID 11239 | Configuration | Preventive | |
| Configure the "Teredo State" setting to organizational standards. CC ID 11240 | Configuration | Preventive | |
| Configure the "Time (in seconds) to force reboot" setting to organizational standards. CC ID 11242 | Configuration | Preventive | |
| Configure the "Time (in seconds) to force reboot when required for policy changes to take effect" setting to organizational standards. CC ID 11243 | Configuration | Preventive | |
| Configure the "Timeout for fast user switching events" setting to organizational standards. CC ID 11244 | Configuration | Preventive | |
| Configure the "Traps for public community" setting to organizational standards. CC ID 11246 | Configuration | Preventive | |
| Configure the "Trusted Hosts" setting to organizational standards. CC ID 11249 | Configuration | Preventive | |
| Configure the "Try Next Closest Site" setting to organizational standards. CC ID 11250 | Configuration | Preventive | |
| Configure the "TTL Set in the A and PTR records" setting to organizational standards. CC ID 11251 | Configuration | Preventive | |
| Configure the "Turn on Accounting for WSRM" setting to organizational standards. CC ID 11333 | Configuration | Preventive | |
| Configure the "Turn on BranchCache" setting to organizational standards. CC ID 11334 | Configuration | Preventive | |
| Configure the "Turn on certificate propagation from smart card" setting to organizational standards. CC ID 11335 | Configuration | Preventive | |
| Configure the "Turn On Compatibility HTTP Listener" setting to organizational standards. CC ID 11336 | Configuration | Preventive | |
| Configure the "Turn On Compatibility HTTPS Listener" setting to organizational standards. CC ID 11337 | Configuration | Preventive | |
| Configure the "Turn on definition updates through both WSUS and the Microsoft Malware Protection Center" setting to organizational standards. CC ID 11338 | Configuration | Preventive | |
| Configure the "Turn on definition updates through both WSUS and Windows Update" setting to organizational standards. CC ID 11339 | Configuration | Preventive | |
| Configure the "Turn on economical application of administratively assigned Offline Files" setting to organizational standards. CC ID 11342 | Configuration | Preventive | |
| Configure the "Turn on Mapper I/O (LLTDIO) driver" setting to organizational standards. CC ID 11346 | Configuration | Preventive | |
| Configure the "Turn on recommended updates via Automatic Updates" setting to organizational standards. CC ID 11347 | Configuration | Preventive | |
| Configure the "Turn on root certificate propagation from smart card" setting to organizational standards. CC ID 11349 | Configuration | Preventive | |
| Configure the "Turn on Software Notifications" setting to organizational standards. CC ID 11352 | Configuration | Preventive | |
| Configure the "Turn on TPM backup to Active Directory Domain Services" setting to organizational standards. CC ID 11356 | Configuration | Preventive | |
| Configure the "Use forest search order" setting for "Key Distribution Center (KDC) searches" to organizational standards. CC ID 11359 | Configuration | Preventive | |
| Configure the "Use forest search order" setting for "Kerberos client searches" to organizational standards. CC ID 11360 | Configuration | Preventive | |
| Configure the "Use IP Address Redirection" setting to organizational standards. CC ID 11361 | Configuration | Preventive | |
| Configure the "Use localized subfolder names when redirecting Start Menu and My Documents" setting to organizational standards. CC ID 11362 | Configuration | Preventive | |
| Configure the "Use mandatory profiles on the RD Session Host server" setting to organizational standards. CC ID 11363 | Configuration | Preventive | |
| Configure the "Verbose vs normal status messages" setting to organizational standards. CC ID 11368 | Configuration | Preventive | |
| Configure the "Verify old and new Folder Redirection targets point to the same share before redirecting" setting to organizational standards. CC ID 11369 | Configuration | Preventive | |
| Configure the "Windows Scaling Heuristics State" setting to organizational standards. CC ID 11372 | Configuration | Preventive | |
| Configure the "Obtain Software Package Updates with apt-get" setting to organizational standards. CC ID 11375 | Configuration | Preventive | |
| Configure the "display a banner before authentication" setting for "LightDM" to organizational standards. CC ID 11385 | Configuration | Preventive | |
| Configure the "shadow" group to organizational standards. CC ID 11386 | Configuration | Preventive | |
| Configure the "AppArmor" setting to organizational standards. CC ID 11387 | Configuration | Preventive | |
| Configure the system account settings and the permission settings in accordance with the organizational standards. CC ID 01538 | Configuration | Preventive | |
| Configure user accounts. CC ID 07036 | Configuration | Preventive | |
| Remove unnecessary default accounts. CC ID 01539 [Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network. 2.1] | Configuration | Preventive | |
| Disable or delete shared User IDs. CC ID 12478 | Configuration | Corrective | |
| Verify that no UID 0 accounts exist other than root. CC ID 01585 | Configuration | Detective | |
| Disable or delete generic user IDs. CC ID 12479 | Configuration | Corrective | |
| Disable all unnecessary user identifiers. CC ID 02185 [Do not use group, shared, or generic IDs, passwords, or other authentication methods as follows: - Generic user IDs are disabled or removed. - Shared user IDs do not exist for system administration and other critical functions. - Shared and generic user IDs are not used to administer any system components. 8.5] | Configuration | Preventive | |
| Remove unnecessary user credentials. CC ID 16409 | Configuration | Preventive | |
| Remove the root user as appropriate. CC ID 01582 | Configuration | Preventive | |
| Disable or remove the null account. CC ID 06572 | Configuration | Preventive | |
| Configure accounts with administrative privilege. CC ID 07033 | Configuration | Preventive | |
| Encrypt non-console administrative access. CC ID 00883 [Encrypt all non-console administrative access using strong cryptography. 2.3] | Configuration | Preventive | |
| Invoke a strong encryption method before requesting an authenticator. CC ID 11986 | Technical Security | Preventive | |
| Configure the time server in accordance with organizational standards. CC ID 06426 | Configuration | Preventive | |
| Configure the time server to synchronize with specifically designated hosts. CC ID 06427 [Configure the time servers to ensure Time settings are received from industry-accepted time sources. 10.4.3] | Configuration | Preventive | |
| Restrict access to time server configuration to personnel with a business need. CC ID 06858 [Restrict access to time server configurations to ensure Time data is protected. 10.4.2] | Configuration | Preventive | |
| Configure Account settings in accordance with organizational standards. CC ID 07603 | Configuration | Preventive | |
| Configure the "Account lockout threshold" to organizational standards. CC ID 07604 [{configure} {account lockout threshold} Limit repeated access attempts by locking out the user ID after not more than six attempts. 8.1.6] | Configuration | Preventive | |
| Configure the "Account lockout duration" to organizational standards. CC ID 07771 [Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID. 8.1.7] | Configuration | Preventive | |
| Configure Logging settings in accordance with organizational standards. CC ID 07611 | Configuration | Preventive | |
| Configure the security parameters for all logs. CC ID 01712 | Configuration | Preventive | |
| Configure the log to capture audit log initialization, along with auditable event selection. CC ID 00649 [Configure the audit log to capture Initialization, stopping, or pausing of the audit logs 10.2.6] | Log Management | Detective | |
| Configure the detailed data elements to be captured for all logs so that events are identified by type, location, subject, user, what data was accessed, etc. CC ID 06331 | Configuration | Preventive | |
| Configure the log to capture the user's identification. CC ID 01334 [Configure the audit log to capture the following event for all system components: User identification 10.3.1] | Configuration | Preventive | |
| Configure the log to capture a date and time stamp. CC ID 01336 [Configure the audit log to capture the following event for all system components: Date and time 10.3.3] | Configuration | Preventive | |
| Configure the log to capture each auditable event's origination. CC ID 01338 [Configure the audit log to capture the following event for all system components: Origination of event 10.3.5] | Log Management | Detective | |
| Configure the log to uniquely identify each asset. CC ID 01339 [Configure the audit log to capture the following event for all system components: Identity or name of affected data, system component, or resource. 10.3.6] | Configuration | Preventive | |
| Configure the log to capture the type of each event. CC ID 06423 [Configure the audit log to capture the following event for all system components: Type of event 10.3.2] | Configuration | Preventive | |
| Configure the log to capture each event's success or failure indication. CC ID 06424 [Configure the audit log to capture the following event for all system components: Success or failure indication 10.3.4] | Configuration | Preventive | |
| Configure all logs to capture auditable events or actionable events. CC ID 06332 | Configuration | Preventive | |
| Configure the log to capture logons, logouts, logon attempts, and logout attempts. CC ID 01915 [Configure the audit log to capture Invalid logical access attempts 10.2.4] | Log Management | Detective | |
| Configure the log to capture access to restricted data or restricted information. CC ID 00644 [Configure the audit log to capture All individual user accesses to cardholder data 10.2.1] | Log Management | Detective | |
| Configure the log to capture actions taken by individuals with root privileges or administrative privileges and add logging option to the root file system. CC ID 00645 [{root privileges} Configure the audit log to capture All actions taken by any individual with root or administrative privileges 10.2.2] | Log Management | Detective | |
| Configure the log to capture identification and authentication mechanism use. CC ID 00648 [{root privileges} Configure the audit log to capture Use of and changes to identification and authentication mechanisms—including but not limited to creation of new accounts and elevation of privileges—and all changes, additions, or deletions to accounts with root or administrative privileges 10.2.5] | Log Management | Detective | |
| Configure the log to capture all access to the audit trail. CC ID 00646 [Configure the audit log to capture Access to all audit trails 10.2.3] | Log Management | Detective | |
| Configure the log to capture Object access to key directories or key files. CC ID 01697 | Log Management | Detective | |
| Configure the log to capture system level object creation and deletion. CC ID 00650 [Configure the audit log to capture Creation and deletion of system-level objects 10.2.7] | Log Management | Detective | |
| Configure the log to capture configuration changes. CC ID 06881 | Configuration | Preventive | |
| Configure the log to capture changes to User privileges, audit policies, and trust policies by enabling audit policy changes. CC ID 01698 [{root privileges} Configure the audit log to capture Use of and changes to identification and authentication mechanisms—including but not limited to creation of new accounts and elevation of privileges—and all changes, additions, or deletions to accounts with root or administrative privileges 10.2.5] | Log Management | Detective | |
| Configure Key, Certificate, Password, Authentication and Identity Management settings in accordance with organizational standards. CC ID 07621 | Configuration | Preventive | |
| Configure the "Maximum password age" to organizational standards. CC ID 07688 [{maximum password age} Change user passwords/passphrases at least once every 90 days. 8.2.4] | Configuration | Preventive | |
| Configure the "Minimum password length" to organizational standards. CC ID 07711 [{passphrase} {complexity} {configure} Passwords/phrases must meet the following: - Require a minimum length of at least seven characters. - Contain both numeric and alphabetic characters. 8.2.3] | Configuration | Preventive | |
| Configure the "Password must meet complexity requirements" to organizational standards. CC ID 07743 [{passphrase} {complexity} {configure} Passwords/phrases must meet the following: - Require a minimum length of at least seven characters. - Contain both numeric and alphabetic characters. 8.2.3] | Configuration | Preventive | |
| Configure the "Enforce password history" to organizational standards. CC ID 07877 [{passphrase} {configure} {password history} Do not allow an individual to submit a new password/phrase that is the same as any of the last four passwords/phrases he or she has used. 8.2.5] | Configuration | Preventive | |
| Configure security and protection software according to Organizational Standards. CC ID 11917 | Configuration | Preventive | |
| Configure security and protection software to automatically run at startup. CC ID 12443 [Ensure that anti-virus mechanisms are actively verb">running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period. 5.3] | Configuration | Preventive | |
| Configure security and protection software to check for up-to-date signature files. CC ID 00576 [Ensure that all anti-virus mechanisms are maintained as follows: - Are kept current, - Perform periodic scans - Generate audit logs which are retained per PCI DSS Requirement 10.7. 5.2 Ensure that anti-virus programs are capable of detecting, removing, and protecting against all known types of e="background-color:#F0BBBC;" class="term_primary-noun">malicious software. 5.1.1] | Testing | Detective | |
| Configure security and protection software to enable automatic updates. CC ID 11945 [Protect all systems against malware and regularly update anti-virus software or programs. Requirement 5] | Configuration | Preventive | |
| Configure File Integrity Monitoring Software to Organizational Standards. CC ID 11923 | Configuration | Preventive | |
| Configure the file integrity monitoring software to perform critical file comparisons, as necessary. CC ID 11924 [Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly. 11.5] | Configuration | Preventive | |
Systems design, build, and implementation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Systems design, build, and implementation CC ID 00989 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a System Development Life Cycle program. CC ID 11823 [{make known} Ensure that security policies and operational procedures for developing and maintaining secure systems and applications are documented, in use, and known to all affected parties. 6.7] | Systems Design, Build, and Implementation | Preventive | |
| Include management commitment to secure development in the System Development Life Cycle program. CC ID 16386 | Establish/Maintain Documentation | Preventive | |
| Perform a feasibility study for product requests. CC ID 06895 | Acquisition/Sale of Assets or Services | Preventive | |
| Prioritize opportunities to improve the product and service lifecycle process. CC ID 06898 | Acquisition/Sale of Assets or Services | Preventive | |
| Assign senior management to approve the cost benefit analysis in the feasibility study. CC ID 13069 | Human Resources Management | Preventive | |
| Update the system design, build, and implementation methodology to incorporate emerging standards. CC ID 07045 | Establish/Maintain Documentation | Preventive | |
| Include information security throughout the system development life cycle. CC ID 12042 | Systems Design, Build, and Implementation | Preventive | |
| Protect confidential information during the system development life cycle program. CC ID 13479 | Data and Information Management | Preventive | |
| Disseminate and communicate the System Development Life Cycle program to all interested personnel and affected parties. CC ID 15469 | Communicate | Preventive | |
| Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267 | Systems Design, Build, and Implementation | Preventive | |
| Develop systems in accordance with the system design specifications and system design standards. CC ID 01094 [Develop and maintain secure systems and applications. Requirement 6] | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain outsourced development procedures. CC ID 01141 | Establish/Maintain Documentation | Preventive | |
| Supervise and monitor outsourced development projects. CC ID 01096 | Monitor and Evaluate Occurrences | Detective | |
| Protect stored manufacturing components prior to assembly. CC ID 12248 | Systems Design, Build, and Implementation | Preventive | |
| Store manufacturing components in a controlled access area. CC ID 12256 | Physical and Environmental Protection | Preventive | |
| Develop new products based on best practices. CC ID 01095 [Develop internal and external software applications (including web-based administrative access to applications) securely, as follows: - In accordance with PCI DSS (for example, secure authentication and logging) - Based on industry standards and/or best practices. - Incorporating information security throughout the software-development life cycle. 6.3 Develop internal and external software applications (including web-based administrative access to applications) securely, as follows: - In accordance with PCI DSS (for example, secure authentication and logging) - Based on industry standards and/or best practices. - Incorporating information security throughout the software-development life cycle. 6.3] | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain a system design specification. CC ID 04557 | Establish/Maintain Documentation | Preventive | |
| Document the system architecture in the system design specification. CC ID 12287 | Establish/Maintain Documentation | Preventive | |
| Include hardware requirements in the system design specification. CC ID 08666 | Establish/Maintain Documentation | Preventive | |
| Include communication links in the system design specification. CC ID 08665 | Establish/Maintain Documentation | Preventive | |
| Include a description of each module and asset in the system design specification. CC ID 11734 | Establish/Maintain Documentation | Preventive | |
| Include supporting software requirements in the system design specification. CC ID 08664 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain Application Programming Interface documentation. CC ID 12203 | Establish/Maintain Documentation | Preventive | |
| Include configuration options in the Application Programming Interface documentation. CC ID 12205 | Establish/Maintain Documentation | Preventive | |
| Include the logical data flows and process steps in the system design specification. CC ID 08668 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain the system design specification in a manner that is clear and easy to read. CC ID 12286 | Establish/Maintain Documentation | Preventive | |
| Include threat models in the system design specification. CC ID 06829 | Systems Design, Build, and Implementation | Preventive | |
| Include security requirements in the system design specification. CC ID 06826 | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain access control procedures for the test environment that match those of the production environment. CC ID 06793 | Establish/Maintain Documentation | Preventive | |
| Include anti-tamper technologies and anti-tamper techniques in the system design specification. CC ID 10639 | Monitor and Evaluate Occurrences | Detective | |
| Establish, implement, and maintain identification card or badge architectural designs. CC ID 06591 | Process or Activity | Preventive | |
| Define the physical requirements for identification cards or badges in the identification card or badge architectural designs. CC ID 06592 | Process or Activity | Preventive | |
| Define the mandatory items that must appear on identification cards or badges in the identification card or badge architectural designs. CC ID 06593 | Process or Activity | Preventive | |
| Define the data elements to be stored on identification cards or badges in the identification card or badge architectural designs. CC ID 15427 | Systems Design, Build, and Implementation | Preventive | |
| Define the optional items that may appear on identification cards or badges in the identification card or badge architectural designs. CC ID 06594 | Process or Activity | Preventive | |
| Include security measures in the identification card or badge architectural designs. CC ID 15423 | Systems Design, Build, and Implementation | Preventive | |
| Include the logical credential data model for identification cards or badges in the identification card or badge architectural designs. CC ID 06595 | Process or Activity | Preventive | |
| Establish, implement, and maintain payment card architectural designs. CC ID 16132 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain coding guidelines. CC ID 08661 | Establish/Maintain Documentation | Preventive | |
| Nest elements appropriately in website content using markup languages. CC ID 15154 | Configuration | Preventive | |
| Use valid HTML or other markup languages. CC ID 15153 | Configuration | Preventive | |
| Establish, implement, and maintain human interface guidelines. CC ID 08662 | Establish/Maintain Documentation | Preventive | |
| Ensure users can navigate content. CC ID 15163 | Configuration | Preventive | |
| Create text content using language that is readable and is understandable. CC ID 15167 | Configuration | Preventive | |
| Ensure user interface components are operable. CC ID 15162 | Configuration | Preventive | |
| Implement mechanisms to review, confirm, and correct user submissions. CC ID 15160 | Configuration | Preventive | |
| Allow users to reverse submissions. CC ID 15168 | Configuration | Preventive | |
| Provide a mechanism to control audio. CC ID 15158 | Configuration | Preventive | |
| Allow modification of style properties without loss of content or functionality. CC ID 15156 | Configuration | Preventive | |
| Programmatically determine the name and role of user interface components. CC ID 15148 | Configuration | Preventive | |
| Programmatically determine the language of content. CC ID 15137 | Configuration | Preventive | |
| Provide a mechanism to dismiss content triggered by mouseover or keyboard focus. CC ID 15164 | Configuration | Preventive | |
| Configure repeated navigational mechanisms to occur in the same order unless overridden by the user. CC ID 15166 | Configuration | Preventive | |
| Refrain from activating a change of context when changing the setting of user interface components, as necessary. CC ID 15165 | Configuration | Preventive | |
| Provide users a mechanism to remap keyboard shortcuts. CC ID 15133 | Configuration | Preventive | |
| Identify the components in a set of web pages that consistently have the same functionality. CC ID 15116 | Process or Activity | Preventive | |
| Provide captions for live audio content. CC ID 15120 | Configuration | Preventive | |
| Programmatically determine the purpose of each data field that collects information from the user. CC ID 15114 | Configuration | Preventive | |
| Provide labels or instructions when content requires user input. CC ID 15077 | Configuration | Preventive | |
| Allow users to control auto-updating information, as necessary. CC ID 15159 | Configuration | Preventive | |
| Use headings on all web pages and labels in all content that describes the topic or purpose. CC ID 15070 | Configuration | Preventive | |
| Display website content triggered by mouseover or keyboard focus. CC ID 15152 | Configuration | Preventive | |
| Ensure the purpose of links can be determined through the link text. CC ID 15157 | Configuration | Preventive | |
| Use a unique title that describes the topic or purpose for each web page. CC ID 15069 | Configuration | Preventive | |
| Allow the use of time limits, as necessary. CC ID 15155 | Configuration | Preventive | |
| Include mechanisms for changing authenticators in human interface guidelines. CC ID 14944 | Establish/Maintain Documentation | Preventive | |
| Refrain from activating a change of context in a user interface component. CC ID 15115 | Configuration | Preventive | |
| Include functionality for managing user data in human interface guidelines. CC ID 14928 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain User Interface documentation. CC ID 12204 | Establish/Maintain Documentation | Preventive | |
| Include system messages in human interface guidelines. CC ID 08663 | Establish/Maintain Documentation | Preventive | |
| Include measurable system performance requirements in the system design specification. CC ID 08667 | Establish/Maintain Documentation | Preventive | |
| Include the data structure in the system design specification. CC ID 08669 | Establish/Maintain Documentation | Preventive | |
| Include the input and output variables in the system design specification. CC ID 08670 | Establish/Maintain Documentation | Preventive | |
| Include data encryption information in the system design specification. CC ID 12209 | Establish/Maintain Documentation | Preventive | |
| Include records disposition information in the system design specification. CC ID 12208 | Establish/Maintain Documentation | Preventive | |
| Include how data is managed in each module in the system design specification. CC ID 12207 | Establish/Maintain Documentation | Preventive | |
| Include identifying restricted data in the system design specification. CC ID 12206 | Establish/Maintain Documentation | Preventive | |
| Assign appropriate parties to approve the system design specification. CC ID 13070 | Human Resources Management | Preventive | |
| Disseminate and communicate the system design specification to all interested personnel and affected parties. CC ID 15468 | Communicate | Preventive | |
| Implement data controls when developing systems. CC ID 15302 | Systems Design, Build, and Implementation | Preventive | |
| Implement security controls when developing systems. CC ID 06270 [Develop internal and external software applications (including web-based administrative access to applications) securely, as follows: - In accordance with PCI DSS (for example, secure authentication and logging) - Based on industry standards and/or best practices. - Incorporating information security throughout the software-development life cycle. 6.3] | Systems Design, Build, and Implementation | Preventive | |
| Include restricted data encryption and restricted information encryption in the security controls. CC ID 01083 | Technical Security | Preventive | |
| Analyze and minimize attack surfaces when developing systems. CC ID 06828 | Systems Design, Build, and Implementation | Preventive | |
| Require successful authentication before granting access to system functionality via network interfaces. CC ID 14926 | Technical Security | Preventive | |
| Audit all modifications to the application being developed. CC ID 01614 | Testing | Detective | |
| Implement a hardware security module, as necessary. CC ID 12222 | Systems Design, Build, and Implementation | Preventive | |
| Require dual authentication when switching out of PCI mode in the hardware security module. CC ID 12274 | Systems Design, Build, and Implementation | Preventive | |
| Include an indicator to designate when the hardware security module is in PCI mode. CC ID 12273 | Systems Design, Build, and Implementation | Preventive | |
| Design the random number generator to generate random numbers that are unpredictable. CC ID 12255 | Systems Design, Build, and Implementation | Preventive | |
| Design the hardware security module to enforce the separation between applications. CC ID 12254 | Systems Design, Build, and Implementation | Preventive | |
| Protect sensitive data when transiting sensitive services in the hardware security module. CC ID 12253 | Systems Design, Build, and Implementation | Preventive | |
| Design the hardware security module to automatically clear its internal buffers of sensitive information prior to reuse of the buffer. CC ID 12233 | Systems Design, Build, and Implementation | Preventive | |
| Design the hardware security module to automatically clear its internal buffers of sensitive information after it recovers from an error condition. CC ID 12252 | Systems Design, Build, and Implementation | Preventive | |
| Design the hardware security module to automatically clear its internal buffers of sensitive information when it has timed out. CC ID 12251 | Systems Design, Build, and Implementation | Preventive | |
| Design the hardware security module to erase sensitive data when compromised. CC ID 12275 | Systems Design, Build, and Implementation | Preventive | |
| Restrict key-usage information for cryptographic keys in the hardware security module. CC ID 12232 | Systems Design, Build, and Implementation | Preventive | |
| Prevent cryptographic keys in the hardware security module from making unauthorized changes to data. CC ID 12231 | Systems Design, Build, and Implementation | Preventive | |
| Include in the system documentation methodologies for authenticating the hardware security module. CC ID 12258 | Establish/Maintain Documentation | Preventive | |
| Protect sensitive information within the hardware security module from unauthorized changes. CC ID 12225 | Systems Design, Build, and Implementation | Preventive | |
| Prohibit sensitive functions from working outside of protected areas of the hardware security module. CC ID 12224 | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain an acceptable use policy for the hardware security module. CC ID 12247 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the acceptable use policy for the hardware security module. CC ID 12264 | Establish/Maintain Documentation | Preventive | |
| Include the environmental requirements in the acceptable use policy for the hardware security module. CC ID 12263 | Establish/Maintain Documentation | Preventive | |
| Include device identification in the acceptable use policy for the hardware security module. CC ID 12262 | Establish/Maintain Documentation | Preventive | |
| Include device functionality in the acceptable use policy for the hardware security module. CC ID 12261 | Establish/Maintain Documentation | Preventive | |
| Include administrative responsibilities in the acceptable use policy for the hardware security module. CC ID 12260 | Establish/Maintain Documentation | Preventive | |
| Install secret information into the hardware security module during manufacturing. CC ID 12249 | Systems Design, Build, and Implementation | Preventive | |
| Install secret information into the hardware security module so that it can only be verified by the initial-key-loading facility. CC ID 12272 | Systems Design, Build, and Implementation | Preventive | |
| Install secret information under dual control into the hardware security module. CC ID 12257 | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain session security coding standards. CC ID 04584 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a cryptographic architecture document. CC ID 12476 | Establish/Maintain Documentation | Preventive | |
| Include the algorithms used in the cryptographic architecture document. CC ID 12483 | Establish/Maintain Documentation | Preventive | |
| Include an inventory of all protected areas in the cryptographic architecture document. CC ID 12486 | Establish/Maintain Documentation | Preventive | |
| Include a description of the key usage for each key in the cryptographic architecture document. CC ID 12484 | Establish/Maintain Documentation | Preventive | |
| Include descriptions of all cryptographic keys in the cryptographic architecture document. CC ID 12487 | Establish/Maintain Documentation | Preventive | |
| Include descriptions of the cryptographic key strength of all cryptographic keys in the cryptographic architecture document. CC ID 12488 | Establish/Maintain Documentation | Preventive | |
| Include each cryptographic key's expiration date in the cryptographic architecture document. CC ID 12489 | Establish/Maintain Documentation | Preventive | |
| Include the protocols used in the cryptographic architecture document. CC ID 12485 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain secure update mechanisms. CC ID 14923 | Systems Design, Build, and Implementation | Preventive | |
| Implement cryptographic mechanisms to authenticate software updates before installation. CC ID 14925 | Systems Design, Build, and Implementation | Preventive | |
| Automate secure update mechanisms, as necessary. CC ID 14933 | Systems Design, Build, and Implementation | Preventive | |
| Follow security design requirements when developing systems. CC ID 06827 | Systems Design, Build, and Implementation | Preventive | |
| Prevent unnecessary information from being added to client-side scripting languages. CC ID 07073 | Data and Information Management | Preventive | |
| Use randomly generated session identifiers. CC ID 07074 | Technical Security | Preventive | |
| Identify multi-project interfaces and dependencies. CC ID 06902 | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain a system implementation representation document. CC ID 04558 | Establish/Maintain Documentation | Preventive | |
| Include the source code in the implementation representation document. CC ID 13089 | Establish/Maintain Documentation | Preventive | |
| Include the hardware schematics in the implementation representation document. CC ID 13098 | Establish/Maintain Documentation | Preventive | |
| Design the security architecture. CC ID 06269 | Systems Design, Build, and Implementation | Preventive | |
| Limit the embedding of data types inside other data types. CC ID 06759 | Technical Security | Preventive | |
| Run sensitive workloads in Trusted Execution Environments. CC ID 16853 | Process or Activity | Preventive | |
| Review and update the security architecture, as necessary. CC ID 14277 | Establish/Maintain Documentation | Corrective | |
| Design the privacy architecture. CC ID 14671 | Systems Design, Build, and Implementation | Preventive | |
| Review and update the privacy architecture, as necessary. CC ID 14674 | Establish/Maintain Documentation | Preventive | |
| Convert workflow charts and diagrams into machine readable code. CC ID 14865 | Process or Activity | Preventive | |
| Implement software development version controls. CC ID 01098 | Systems Design, Build, and Implementation | Preventive | |
| Protect system libraries. CC ID 01097 | Technical Security | Preventive | |
| Follow the system development process when upgrading a system. CC ID 01059 | Systems Design, Build, and Implementation | Preventive | |
| Protect application program libraries. CC ID 11762 | Technical Security | Preventive | |
| Conduct a design review at each milestone or quality gate. CC ID 01087 | Systems Design, Build, and Implementation | Detective | |
| Reassess the system design after the product has been tested. CC ID 01088 | Testing | Detective | |
| Include the Evaluation Assurance Levels in the system design specification. CC ID 04561 | Establish/Maintain Documentation | Preventive | |
| Approve the design methodology before moving forward on the system design project. CC ID 01060 | Systems Design, Build, and Implementation | Preventive | |
| Protect source code in accordance with organizational requirements. CC ID 16855 | Technical Security | Preventive | |
| Perform source code analysis at each milestone or quality gate. CC ID 06832 | Systems Design, Build, and Implementation | Corrective | |
| Identify and redesign unsafe functions when developing systems. CC ID 06831 | Systems Design, Build, and Implementation | Preventive | |
| Document the results of the source code analysis. CC ID 14310 | Process or Activity | Detective | |
| Monitor the development environment for when malicious code is discovered. CC ID 06396 | Systems Design, Build, and Implementation | Detective | |
| Establish and maintain system security documentation. CC ID 06271 | Establish/Maintain Documentation | Preventive | |
| Document the procedures and environment used to create the system or software. CC ID 06609 | Establish/Maintain Documentation | Preventive | |
| Transmit source code securely. CC ID 06397 | Data and Information Management | Preventive | |
| Digitally sign software components. CC ID 16490 | Process or Activity | Preventive | |
| Establish and maintain access rights to source code based upon least privilege. CC ID 06962 | Technical Security | Preventive | |
| Develop new products based on secure coding techniques. CC ID 11733 [Address common coding vulnerabilities in software-development processes as follows: - Train developers in secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory. - Develop applications based on secure coding guidelines. 6.5 {assign}{correct} Review custom code prior to release to production or customers in order to identify any potential coding vulnerability (using either manual or automated processes) to include at least the following: - Code changes are reviewed by individuals other than the originating code author, and by individuals knowledgeable about code-review techniques and secure coding practices. - Code reviews ensure code is developed according to secure coding guidelines - Appropriate corrections are implemented prior to release. - Code-review results are reviewed and approved by management prior to release. 6.3.2] | Systems Design, Build, and Implementation | Preventive | |
| Establish and maintain a coding manual for secure coding techniques. CC ID 11863 | Establish/Maintain Documentation | Preventive | |
| Protect applications from insufficient anti-automation through secure coding techniques in source code. CC ID 16854 | Technical Security | Preventive | |
| Protect applications from improper access control through secure coding techniques in source code. CC ID 11959 [Include in the coding manual how to protect applications from Improper access control (such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions). 6.5.8] | Technical Security | Preventive | |
| Protect applications from improper error handling through secure coding techniques in source code. CC ID 11937 [Include in the coding manual how to protect applications from Improper error handling 6.5.5] | Technical Security | Preventive | |
| Protect applications from insecure communications through secure coding techniques in source code. CC ID 11936 [Include in the coding manual how to protect applications from Insecure communications 6.5.4] | Technical Security | Preventive | |
| Protect applications from attacks on business logic through secure coding techniques in source code. CC ID 15472 | Systems Design, Build, and Implementation | Preventive | |
| Protect applications from XML external entities through secure coding techniques in source code. CC ID 14806 | Technical Security | Preventive | |
| Protect applications from insecure deserialization through secure coding techniques in source code. CC ID 14805 | Technical Security | Preventive | |
| Refrain from hard-coding security parameters in source code. CC ID 14917 | Systems Design, Build, and Implementation | Preventive | |
| Refrain from hard-coding usernames in source code. CC ID 06561 | Technical Security | Preventive | |
| Refrain from hard-coding authenticators in source code. CC ID 11829 | Technical Security | Preventive | |
| Refrain from hard-coding cryptographic keys in source code. CC ID 12307 | Technical Security | Preventive | |
| Protect applications from injection flaws through secure coding techniques in source code. CC ID 11944 [Include in the coding manual how to protect applications from Injection flaws, particularly SQL injection. Also consider OS Command Injection, LDAP and XPath injection flaws as well as other injection flaws. 6.5.1] | Technical Security | Preventive | |
| Protect applications from attacks on data and data structures through secure coding techniques in source code. CC ID 15482 | Systems Design, Build, and Implementation | Preventive | |
| Control user account management through secure coding techniques in source code. CC ID 11909 [All access to any database containing cardholder data (including access by applications, administrators, and all other users) is restricted as follows: - All user access to, user queries of, and user actions on databases are through programmatic methods. - Only database administrators have the ability to directly access or query databases. - Application IDs for database applications can only be used by the applications (and not by individual users or other non-application processes). 8.7] | Technical Security | Preventive | |
| Restrict direct access of databases to the database administrator through secure coding techniques in source code. CC ID 11933 [All access to any database containing cardholder data (including access by applications, administrators, and all other users) is restricted as follows: - All user access to, user queries of, and user actions on databases are through programmatic methods. - Only database administrators have the ability to directly access or query databases. - Application IDs for database applications can only be used by the applications (and not by individual users or other non-application processes). 8.7] | Technical Security | Preventive | |
| Protect applications from buffer overflows through secure coding techniques in source code. CC ID 11943 [Include in the coding manual how to protect applications from Buffer overflows. 6.5.2] | Technical Security | Preventive | |
| Protect applications from cross-site scripting through secure coding techniques in source code. CC ID 11899 [Include in the coding manual how to protect applications from Cross-site scripting (XSS) 6.5.7] | Process or Activity | Preventive | |
| Protect against coding vulnerabilities through secure coding techniques in source code. CC ID 11897 [Use a coding manual to protect against coding vulnerabilities such as All "high risk" vulnerabilities identified in the vulnerability identification process (as defined in PCI DSS Requirement 6.1). 6.5.6] | Process or Activity | Preventive | |
| Protect applications from broken authentication and session management through secure coding techniques in source code. CC ID 11896 [Include in the coding manual how to protect applications from Broken authentication and session management 6.5.10] | Process or Activity | Preventive | |
| Protect applications from insecure cryptographic storage through secure coding techniques in source code. CC ID 11935 [Include in the coding manual how to protect applications from Insecure cryptographic storage 6.5.3] | Technical Security | Preventive | |
| Protect applications from cross-site request forgery through secure coding techniques in source code. CC ID 11895 [Include in the coding manual how to protect applications from Cross-site request forgery (CSRF) 6.5.9] | Process or Activity | Preventive | |
| Protect databases from unauthorized database management actions through secure coding techniques in source code. CC ID 12049 | Technical Security | Preventive | |
| Refrain from displaying error messages to end users through secure coding techniques in source code. CC ID 12166 | Systems Design, Build, and Implementation | Preventive | |
| Configure software development tools in accordance with organizational standards. CC ID 16387 | Configuration | Preventive | |
| Address known coding vulnerabilities as a part of secure coding techniques. CC ID 12493 | Systems Design, Build, and Implementation | Corrective | |
| Standardize Application Programming Interfaces. CC ID 12167 | Technical Security | Preventive | |
| Include all confidentiality, integrity, and availability functions in the system design specification. CC ID 04556 | Establish/Maintain Documentation | Preventive | |
| Include the relationships and dependencies between modules in the system design specification. CC ID 04559 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a security policy model document. CC ID 04560 | Establish/Maintain Documentation | Preventive | |
| Perform Quality Management on all newly developed or modified systems. CC ID 01100 | Testing | Detective | |
| Establish, implement, and maintain system testing procedures. CC ID 11744 | Establish/Maintain Documentation | Preventive | |
| Restrict production data from being used in the test environment. CC ID 01103 [The change control processes must include Production data (live PANs) are not used for testing or development 6.4.3] | Testing | Detective | |
| Review and test custom code to identify potential coding vulnerabilities. CC ID 01316 [{assign}{correct} Review custom code prior to release to production or customers in order to identify any potential coding vulnerability (using either manual or automated processes) to include at least the following: - Code changes are reviewed by individuals other than the originating code author, and by individuals knowledgeable about code-review techniques and secure coding practices. - Code reviews ensure code is developed according to secure coding guidelines - Appropriate corrections are implemented prior to release. - Code-review results are reviewed and approved by management prior to release. 6.3.2] | Testing | Detective | |
| Review and test source code. CC ID 01086 | Testing | Detective | |
| Assign the review of custom code changes to individuals other than the code author. CC ID 06291 [{assign}{correct} Review custom code prior to release to production or customers in order to identify any potential coding vulnerability (using either manual or automated processes) to include at least the following: - Code changes are reviewed by individuals other than the originating code author, and by individuals knowledgeable about code-review techniques and secure coding practices. - Code reviews ensure code is developed according to secure coding guidelines - Appropriate corrections are implemented prior to release. - Code-review results are reviewed and approved by management prior to release. 6.3.2] | Establish Roles | Preventive | |
| Evaluate and document all known code anomalies and code deficiencies. CC ID 06611 | Establish/Maintain Documentation | Preventive | |
| Correct code anomalies and code deficiencies in custom code and retest before release. CC ID 06292 [{assign}{correct} Review custom code prior to release to production or customers in order to identify any potential coding vulnerability (using either manual or automated processes) to include at least the following: - Code changes are reviewed by individuals other than the originating code author, and by individuals knowledgeable about code-review techniques and secure coding practices. - Code reviews ensure code is developed according to secure coding guidelines - Appropriate corrections are implemented prior to release. - Code-review results are reviewed and approved by management prior to release. 6.3.2] | Testing | Corrective | |
| Approve all custom code test results before code is released. CC ID 06293 [{assign}{correct} Review custom code prior to release to production or customers in order to identify any potential coding vulnerability (using either manual or automated processes) to include at least the following: - Code changes are reviewed by individuals other than the originating code author, and by individuals knowledgeable about code-review techniques and secure coding practices. - Code reviews ensure code is developed according to secure coding guidelines - Appropriate corrections are implemented prior to release. - Code-review results are reviewed and approved by management prior to release. 6.3.2] | Testing | Detective | |
| Initiate the System Development Life Cycle implementation phase. CC ID 06268 | Systems Design, Build, and Implementation | Preventive | |
| Manage the system implementation process. CC ID 01115 | Behavior | Preventive | |
| Establish, implement, and maintain promoting the system to a production environment procedures. CC ID 01119 | Establish/Maintain Documentation | Preventive | |
| Remove test data prior to promoting the system to a production environment. CC ID 12494 [Remove development, test and/or custom application accounts, user IDs, and passwords before applications become active or are released to customers. 6.3.1 {remove} The change control processes must include Removal of test data and accounts before production systems become active. 6.4.4] | Business Processes | Preventive | |
Technical security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Technical security CC ID 00508 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain an access classification scheme. CC ID 00509 | Establish/Maintain Documentation | Preventive | |
| Include restricting access to confidential data or restricted information to a need to know basis in the access classification scheme. CC ID 00510 [Limit access to system components and cardholder data to only those individuals whose job requires such access. 7.1] | Establish/Maintain Documentation | Preventive | |
| Include business security requirements in the access classification scheme. CC ID 00002 | Establish/Maintain Documentation | Preventive | |
| Interpret and apply security requirements based upon the information classification of the system. CC ID 00003 | Establish/Maintain Documentation | Preventive | |
| Include third party access in the access classification scheme. CC ID 11786 [Restrict each entity’s access and privileges to its own cardholder data environment only. A.1.2] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an access control program. CC ID 11702 [{make known} Ensure that security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties. 7.3 Document and communicate authentication policies and procedures to all users including: - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials - Instructions not to reuse previously used passwords - Instructions to change passwords if there is any suspicion the password could be compromised. 8.4] | Establish/Maintain Documentation | Preventive | |
| Include instructions to change authenticators as often as necessary in the access control program. CC ID 11931 [Document and communicate authentication policies and procedures to all users including: - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials - Instructions not to reuse previously used passwords - Instructions to change passwords if there is any suspicion the password could be compromised. 8.4] | Establish/Maintain Documentation | Preventive | |
| Include guidance for how users should protect their authentication credentials in the access control program. CC ID 11929 [Document and communicate authentication policies and procedures to all users including: - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials - Instructions not to reuse previously used passwords - Instructions to change passwords if there is any suspicion the password could be compromised. 8.4] | Establish/Maintain Documentation | Preventive | |
| Include guidance on selecting authentication credentials in the access control program. CC ID 11928 [Document and communicate authentication policies and procedures to all users including: - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials - Instructions not to reuse previously used passwords - Instructions to change passwords if there is any suspicion the password could be compromised. 8.4] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain access control policies. CC ID 00512 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the access control policy. CC ID 14006 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the access control policy. CC ID 14005 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the access control policy. CC ID 14004 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the access control policy. CC ID 14003 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the access control policy. CC ID 14002 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the access control policy. CC ID 14001 | Establish/Maintain Documentation | Preventive | |
| Document the business need justification for user accounts. CC ID 15490 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an instant messaging and chat system usage policy. CC ID 11815 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the access control policies to all interested personnel and affected parties. CC ID 10061 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an access rights management plan. CC ID 00513 [{make known} Ensure that security policies and operational procedures for identification and authentication are documented, in use, and known to all affected parties. 8.8 Define access needs for each role, including: - System components and data resources that each role needs to access for their job function - Level of privilege required (for example, user, administrator, etc.) for accessing resources. 7.1.1 Define and implement policies and procedures to ensure proper user identification management for non-consumer users and administrators on all system components as follows: 8.1] | Establish/Maintain Documentation | Preventive | |
| Implement safeguards to protect access credentials from unauthorized access. CC ID 16433 | Technical Security | Preventive | |
| Inventory all user accounts. CC ID 13732 | Establish/Maintain Documentation | Preventive | |
| Identify information system users. CC ID 12081 | Technical Security | Detective | |
| Review user accounts. CC ID 00525 | Technical Security | Detective | |
| Match user accounts to authorized parties. CC ID 12126 | Configuration | Detective | |
| Identify and authenticate processes running on information systems that act on behalf of users. CC ID 12082 | Technical Security | Detective | |
| Establish and maintain contact information for user accounts, as necessary. CC ID 15418 | Data and Information Management | Preventive | |
| Review shared accounts. CC ID 11840 | Technical Security | Detective | |
| Control access rights to organizational assets. CC ID 00004 | Technical Security | Preventive | |
| Configure access control lists in accordance with organizational standards. CC ID 16465 | Configuration | Preventive | |
| Add all devices requiring access control to the Access Control List. CC ID 06264 | Establish/Maintain Documentation | Preventive | |
| Generate but refrain from storing authenticators or Personal Identification Numbers for systems involved in high risk activities. CC ID 06835 | Technical Security | Preventive | |
| Disallow application IDs from running as privileged users. CC ID 10050 | Configuration | Detective | |
| Define roles for information systems. CC ID 12454 | Human Resources Management | Preventive | |
| Define access needs for each role assigned to an information system. CC ID 12455 | Human Resources Management | Preventive | |
| Define access needs for each system component of an information system. CC ID 12456 | Technical Security | Preventive | |
| Define the level of privilege required for each system component of an information system. CC ID 12457 | Technical Security | Preventive | |
| Establish access rights based on least privilege. CC ID 01411 | Technical Security | Preventive | |
| Assign user permissions based on job responsibilities. CC ID 00538 [{job function} {user privilege} Assign access based on individual personnel’s job classification and function. 7.1.3 Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities. 7.1.2 {job function} The access control system must include Assignment of privileges to individuals based on job classification and function. 7.2.2] | Technical Security | Preventive | |
| Assign user privileges after they have management sign off. CC ID 00542 [Require documented approval by authorized parties specifying required privileges. 7.1.4] | Technical Security | Preventive | |
| Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 | Configuration | Preventive | |
| Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412 | Technical Security | Preventive | |
| Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 | Configuration | Preventive | |
| Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 | Communicate | Corrective | |
| Disallow unlocking user accounts absent system administrator approval. CC ID 01413 | Technical Security | Preventive | |
| Establish, implement, and maintain session lock capabilities. CC ID 01417 | Configuration | Preventive | |
| Limit concurrent sessions according to account type. CC ID 01416 | Configuration | Preventive | |
| Establish session authenticity through Transport Layer Security. CC ID 01627 | Technical Security | Preventive | |
| Configure the "tlsverify" argument to organizational standards. CC ID 14460 | Configuration | Preventive | |
| Configure the "tlscacert" argument to organizational standards. CC ID 14521 | Configuration | Preventive | |
| Configure the "tlscert" argument to organizational standards. CC ID 14520 | Configuration | Preventive | |
| Configure the "tlskey" argument to organizational standards. CC ID 14519 | Configuration | Preventive | |
| Enable access control for objects and users on each system. CC ID 04553 [{physical control} Where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.), use of these mechanisms must be assigned as follows: - Authentication mechanisms must be assigned to an individual account and not shared among multiple accounts. - Physical and/or logical controls must be in place to ensure only the intended account can use that mechanism to gain access. 8.6 Define access needs for each role, including: - System components and data resources that each role needs to access for their job function - Level of privilege required (for example, user, administrator, etc.) for accessing resources. 7.1.1 Identify and authenticate access to system components Requirement 8] | Configuration | Preventive | |
| Include all system components in the access control system. CC ID 11939 [The access control system must include Coverage of all system components 7.2.1] | Technical Security | Preventive | |
| Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301 [The access control system must include Default “deny-all” setting. 7.2.3 Establish an access control system for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed. 7.2] | Process or Activity | Preventive | |
| Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850 | Technical Security | Preventive | |
| Enable attribute-based access control for objects and users on information systems. CC ID 16351 | Technical Security | Preventive | |
| Enable role-based access control for objects and users on information systems. CC ID 12458 [Establish an access control system for systems components that restricts access 0E5;" class="term_secondary-verb">based</span> on a user’s need to know, and is set to “deny all” unless specifically allowed. 7.2] | Technical Security | Preventive | |
| Include the objects and users subject to access control in the security policy. CC ID 11836 | Establish/Maintain Documentation | Preventive | |
| Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 | Establish Roles | Preventive | |
| Enforce access restrictions for change control. CC ID 01428 [The change control processes must include Separate development/test environments from production environments, and enforce the separation with access controls. 6.4.1] | Technical Security | Preventive | |
| Enforce access restrictions for restricted data. CC ID 01921 | Data and Information Management | Preventive | |
| Permit a limited set of user actions absent identification and authentication. CC ID 04849 | Technical Security | Preventive | |
| Perform a risk assessment prior to activating third party access to the organization's critical systems. CC ID 06455 | Testing | Detective | |
| Activate third party maintenance accounts and user identifiers, as necessary. CC ID 04262 [Manage IDs used by vendors to access, support, or maintain system components via remote access as follows: - Enabled only during the time period needed and disabled when not in use. - Monitored when in use. 8.1.5] | Technical Security | Preventive | |
| Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 | Establish/Maintain Documentation | Preventive | |
| Accept and sign the system use agreement before data or system access is enabled. CC ID 06501 | Establish/Maintain Documentation | Preventive | |
| Display a logon banner and appropriate logon message before granting access to the system. CC ID 06770 | Technical Security | Preventive | |
| Display previous logon information in the logon banner. CC ID 01415 | Configuration | Preventive | |
| Document actions that can be performed on an information system absent identification and authentication of the user. CC ID 06771 | Establish/Maintain Documentation | Preventive | |
| Use automatic equipment identification as a method of connection authentication absent an individual's identification and authentication. CC ID 06964 | Technical Security | Preventive | |
| Control user privileges. CC ID 11665 | Technical Security | Preventive | |
| Review all user privileges, as necessary. CC ID 06784 | Technical Security | Preventive | |
| Revoke asset access when a personnel status change occurs or an individual is terminated. CC ID 00516 [Immediately revoke access for any terminated users. 8.1.3 Control physical access for onsite personnel to sensitive areas as follows: - Access must be authorized and based on individual job function. - Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled. 9.3] | Behavior | Corrective | |
| Encrypt files and move them to a secure file server when a user account is disabled. CC ID 07065 | Configuration | Preventive | |
| Review and update accounts and access rights when notified of personnel status changes. CC ID 00788 | Behavior | Corrective | |
| Review each user's access capabilities when their role changes. CC ID 00524 | Technical Security | Preventive | |
| Change authenticators after personnel status changes. CC ID 12284 | Human Resources Management | Preventive | |
| Establish and maintain a Digital Rights Management program. CC ID 07093 | Establish/Maintain Documentation | Preventive | |
| Enable products restricted by Digital Rights Management to be used while offline. CC ID 07094 | Technical Security | Preventive | |
| Establish, implement, and maintain User Access Management procedures. CC ID 00514 | Technical Security | Preventive | |
| Establish, implement, and maintain an authority for access authorization list. CC ID 06782 | Establish/Maintain Documentation | Preventive | |
| Review and approve logical access to all assets based upon organizational policies. CC ID 06641 | Technical Security | Preventive | |
| Control the addition and modification of user identifiers, user credentials, or other authenticators. CC ID 00515 [Control addition, deletion, and modification of user IDs, credentials, and other identifier objects. 8.1.2] | Technical Security | Preventive | |
| Assign roles and responsibilities for administering user account management. CC ID 11900 [Formally assign information security responsibilities for: Administer user accounts, including additions, deletions, and modifications. 12.5.4] | Human Resources Management | Preventive | |
| Automate access control methods, as necessary. CC ID 11838 | Technical Security | Preventive | |
| Automate Access Control Systems, as necessary. CC ID 06854 | Technical Security | Preventive | |
| Refrain from storing logon credentials for third party applications. CC ID 13690 | Technical Security | Preventive | |
| Refrain from allowing user access to identifiers and authenticators used by applications. CC ID 10048 [All access to any database containing cardholder data (including access by applications, administrators, and all other users) is restricted as follows: - All user access to, user queries of, and user actions on databases are through programmatic methods. - Only database administrators have the ability to directly access or query databases. - Application IDs for database applications can only be used by the applications (and not by individual users or other non-application processes). 8.7] | Technical Security | Preventive | |
| Notify interested personnel when user accounts are added or deleted. CC ID 14327 | Communicate | Detective | |
| Remove inactive user accounts, as necessary. CC ID 00517 [Remove/disable inactive user accounts within 90 days. 8.1.4] | Technical Security | Corrective | |
| Remove temporary user accounts, as necessary. CC ID 11839 | Technical Security | Corrective | |
| Establish, implement, and maintain a password policy. CC ID 16346 | Establish/Maintain Documentation | Preventive | |
| Enforce the password policy. CC ID 16347 | Technical Security | Preventive | |
| Disseminate and communicate the password policies and password procedures to all users who have access to restricted data or restricted information. CC ID 00518 | Establish/Maintain Documentation | Preventive | |
| Limit superuser accounts to designated System Administrators. CC ID 06766 | Configuration | Preventive | |
| Enforce usage restrictions for superuser accounts. CC ID 07064 | Technical Security | Preventive | |
| Establish, implement, and maintain user accounts in accordance with the organizational Governance, Risk, and Compliance framework. CC ID 00526 | Technical Security | Preventive | |
| Protect and manage biometric systems and biometric data. CC ID 01261 | Technical Security | Preventive | |
| Establish, implement, and maintain biometric collection procedures. CC ID 15419 | Establish/Maintain Documentation | Preventive | |
| Document the business need justification for authentication data storage. CC ID 06325 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain access control procedures. CC ID 11663 | Establish/Maintain Documentation | Preventive | |
| Implement out-of-band authentication, as necessary. CC ID 10606 | Technical Security | Corrective | |
| Grant access to authorized personnel or systems. CC ID 12186 | Configuration | Preventive | |
| Document approving and granting access in the access control log. CC ID 06786 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442 | Communicate | Preventive | |
| Include the user identifiers of all personnel who are authorized to access a system in the system record. CC ID 15171 | Establish/Maintain Documentation | Preventive | |
| Include identity information of all personnel who are authorized to access a system in the system record. CC ID 16406 | Establish/Maintain Documentation | Preventive | |
| Include the date and time that access was reviewed in the system record. CC ID 16416 | Data and Information Management | Preventive | |
| Include the date and time that access rights were changed in the system record. CC ID 16415 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the access control procedures to all interested personnel and affected parties. CC ID 14123 | Communicate | Corrective | |
| Establish, implement, and maintain an identification and authentication policy. CC ID 14033 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the identification and authentication policy. CC ID 14234 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the identification and authentication policy. CC ID 14232 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the identification and authentication policy. CC ID 14230 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the identification and authentication policy. CC ID 14229 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the identification and authentication policy. CC ID 14227 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the identification and authentication policy. CC ID 14225 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the identification and authentication policy to interested personnel and affected parties. CC ID 14197 | Communicate | Preventive | |
| Establish, implement, and maintain identification and authentication procedures. CC ID 14053 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the identification and authentication procedures to interested personnel and affected parties. CC ID 14223 | Communicate | Preventive | |
| Include digital identification procedures in the access control program. CC ID 11841 | Technical Security | Preventive | |
| Employ unique identifiers. CC ID 01273 [Service providers with remote access to customer premises (for example, for support of POS systems or servers) must use a unique authentication credential (such as a password/phrase) for each customer. 8.5.1 Assign all users a unique ID before allowing them to access system components or cardholder data. 8.1.1] | Testing | Detective | |
| Disseminate and communicate user identifiers and authenticators using secure communication protocols. CC ID 06791 | Data and Information Management | Preventive | |
| Include instructions to refrain from using previously used authenticators in the access control program. CC ID 11930 [Document and communicate authentication policies and procedures to all users including: - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials - Instructions not to reuse previously used passwords - Instructions to change passwords if there is any suspicion the password could be compromised. 8.4] | Establish/Maintain Documentation | Preventive | |
| Disallow the use of Personal Identification Numbers as user identifiers. CC ID 06785 | Technical Security | Preventive | |
| Define the activation requirements for identification cards or badges. CC ID 06583 | Process or Activity | Preventive | |
| Require multiple forms of personal identification prior to issuing user identifiers. CC ID 08712 | Human Resources Management | Preventive | |
| Authenticate user identities before unlocking an account. CC ID 11837 | Testing | Detective | |
| Authenticate user identities before manually resetting an authenticator. CC ID 04567 [Verify user identity before modifying any authentication credential—for example, performing password resets, provisioning new tokens, or generating new keys. 8.2.2] | Testing | Detective | |
| Require proper authentication for user identifiers. CC ID 11785 | Technical Security | Preventive | |
| Assign authenticators to user accounts. CC ID 06855 [In addition to assigning a unique ID, ensure proper user-authentication management for non-consumer users and administrators on all system components by employing at least one of the following methods to authenticate all users: - Something you know, such as a password or passphrase - Something you have, such as a token device or smart card - Something you are, such as a biometric. 8.2] | Configuration | Preventive | |
| Assign authentication mechanisms for user account authentication. CC ID 06856 [In addition to assigning a unique ID, ensure proper user-authentication management for non-consumer users and administrators on all system components by employing at least one of the following methods to authenticate all users: - Something you know, such as a password or passphrase - Something you have, such as a token device or smart card - Something you are, such as a biometric. 8.2] | Configuration | Preventive | |
| Refrain from allowing individuals to share authentication mechanisms. CC ID 11932 [{physical control} Where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.), use of these mechanisms must be assigned as follows: - Authentication mechanisms must be assigned to an individual account and not shared among multiple accounts. - Physical and/or logical controls must be in place to ensure only the intended account can use that mechanism to gain access. 8.6] | Technical Security | Preventive | |
| Establish and maintain a memorized secret list. CC ID 13791 | Establish/Maintain Documentation | Preventive | |
| Limit account credential reuse as a part of digital identification procedures. CC ID 12357 | Configuration | Preventive | |
| Refrain from assigning authentication mechanisms for shared accounts. CC ID 11910 | Technical Security | Preventive | |
| Use biometric authentication for identification and authentication, as necessary. CC ID 06857 [In addition to assigning a unique ID, ensure proper user-authentication management for non-consumer users and administrators on all system components by employing at least one of the following methods to authenticate all users: - Something you know, such as a password or passphrase - Something you have, such as a token device or smart card - Something you are, such as a biometric. 8.2] | Establish Roles | Preventive | |
| Employ live scans to verify biometric authentication. CC ID 06847 | Technical Security | Preventive | |
| Identify the user when enrolling them in the biometric system. CC ID 06882 | Testing | Detective | |
| Disallow self-enrollment of biometric information. CC ID 11834 | Process or Activity | Preventive | |
| Tune the biometric identification equipment, as necessary. CC ID 07077 | Configuration | Corrective | |
| Notify a user when an authenticator for a user account is changed. CC ID 13820 | Communicate | Preventive | |
| Identify and control all network access controls. CC ID 00529 | Technical Security | Preventive | |
| Establish, implement, and maintain a Boundary Defense program. CC ID 00544 [Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment. 1.2] | Establish/Maintain Documentation | Preventive | |
| Refrain from disclosing private Internet Protocol addresses and routing information, unless necessary. CC ID 11891 [Do not disclose private IP addresses and routing information to unauthorized parties. 1.3.8] | Technical Security | Preventive | |
| Authorize the disclosure of private Internet Protocol addresses and routing information to external entities. CC ID 12034 | Communicate | Preventive | |
| Segregate systems in accordance with organizational standards. CC ID 12546 | Technical Security | Preventive | |
| Implement gateways between security domains. CC ID 16493 | Systems Design, Build, and Implementation | Preventive | |
| Implement resource-isolation mechanisms in organizational networks. CC ID 16438 | Technical Security | Preventive | |
| Segregate servers that contain restricted data or restricted information from direct public access. CC ID 00533 [Prohibit direct public access between the Internet and any system component in the cardholder data environment. 1.3] | Technical Security | Preventive | |
| Prevent logical access to dedicated networks from outside the secure areas. CC ID 12310 | Technical Security | Preventive | |
| Design Demilitarized Zones with proper isolation rules. CC ID 00532 | Technical Security | Preventive | |
| Restrict outbound network traffic out of the Demilitarized Zone. CC ID 16881 | Technical Security | Preventive | |
| Restrict inbound network traffic into the Demilitarized Zone. CC ID 01285 [{inbound Internet traffic} Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports. 1.3.1] | Data and Information Management | Preventive | |
| Restrict inbound network traffic into the Demilitarized Zone to Internet Protocol addresses within the Demilitarized Zone. CC ID 11998 [Limit inbound Internet traffic to IP addresses within the DMZ. 1.3.2 {direct inbound connection} {direct outbound connection} Do not allow any direct connections inbound or outbound for traffic between the Internet and the cardholder data environment. 1.3.3] | Technical Security | Preventive | |
| Restrict inbound Internet traffic within the Demilitarized Zone to system components that provide publicly accessible services, protocols, and ports. CC ID 11993 | Technical Security | Preventive | |
| Segregate applications and databases that contain restricted data or restricted information in an internal network zone. CC ID 01289 [Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks. 1.3.7] | Data and Information Management | Preventive | |
| Establish, implement, and maintain a network access control standard. CC ID 00546 | Establish/Maintain Documentation | Preventive | |
| Include assigned roles and responsibilities in the network access control standard. CC ID 06410 [Include in the firewall and router configuration standard a Description of groups, roles, and responsibilities for management of network components. 1.1.5] | Establish Roles | Preventive | |
| Employ firewalls to secure network connections between networks of different security categorizations. CC ID 16373 | Technical Security | Preventive | |
| Employ firewalls to secure network connections between trusted networks and untrusted networks, as necessary. CC ID 11821 | Technical Security | Preventive | |
| Place firewalls between all security domains and between any Demilitarized Zone and internal network zones. CC ID 01274 | Configuration | Preventive | |
| Place firewalls between wireless networks and applications or databases that contain restricted data or restricted information. CC ID 01293 [Install perimeter firewalls between all wireless networks and the cardholder data environment, and configure these firewalls to deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment. 1.2.3] | Configuration | Preventive | |
| Place firewalls between all security domains and between any secure subnet and internal network zones. CC ID 11784 | Configuration | Preventive | |
| Separate the wireless access points and wireless bridges from the wired network via a firewall. CC ID 04588 | Technical Security | Preventive | |
| Include configuration management and rulesets in the network access control standard. CC ID 11845 [Establish and implement firewall and router configuration standards that include the following: 1.1] | Establish/Maintain Documentation | Preventive | |
| Secure the network access control standard against unauthorized changes. CC ID 11920 | Establish/Maintain Documentation | Preventive | |
| Employ centralized management systems to configure and control networks, as necessary. CC ID 12540 | Technical Security | Preventive | |
| Establish, implement, and maintain a firewall and router configuration standard. CC ID 00541 [{make known} Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties. 1.5] | Configuration | Preventive | |
| Include testing and approving all network connections through the firewall in the firewall and router configuration standard. CC ID 01270 [Include in the firewall and router configuration standard A formal process for approving and rimary-verb">testing all r:#F0BBBC;" class="term_primary-noun">network connections and changes to the firewall and router configurations 1.1.1 Include in the firewall and router configuration standard A formal process for approving and rimary-verb">testing all r:#F0BBBC;" class="term_primary-noun">network connections and changes to the firewall and router configurations 1.1.1] | Process or Activity | Detective | |
| Include compensating controls implemented for insecure protocols in the firewall and router configuration standard. CC ID 11948 [Include in the firewall and router configuration standard Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure. 1.1.6 Implement additional security features for any required services, protocols, or daemons that are considered to und-color:#CBD0E5;" class="term_secondary-verb">be insecure—for example, use secured technologies such as SSH, S-FTP, TLS, or IPSec VPN to protect insecure services such as NetBIOS, file-sharing, Telnet, FTP, etc. 2.2.3] | Establish/Maintain Documentation | Preventive | |
| Include reviewing the rulesets for firewalls and routers in the firewall and router configuration standard, as necessary. CC ID 11903 [Include in the firewall and router configuration standard a Requirement to review firewall and router rule sets at least every six months. 1.1.7] | Technical Security | Corrective | |
| Include restricting inbound network traffic in the firewall and router configuration standard. CC ID 11960 [{inbound Internet traffic} {outbound network traffic} Include in the firewall and router configuration standard: Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic. 1.2.1] | Establish/Maintain Documentation | Preventive | |
| Include restricting outbound network traffic in the firewall and router configuration standard. CC ID 11961 [{inbound Internet traffic} {outbound network traffic} Include in the firewall and router configuration standard: Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic. 1.2.1] | Establish/Maintain Documentation | Preventive | |
| Include requirements for a firewall at each Internet connection and between any demilitarized zone and the internal network zone in the firewall and router configuration standard. CC ID 12435 [Include in the firewall and router configuration standard Requirements for a firewall at each Internet connection and between any F0BBBC;" class="term_primary-noun">demilitarized zonespan> (DMZ) and the internal network zone. 1.1.4] | Establish/Maintain Documentation | Preventive | |
| Include network diagrams that identify connections between all subnets and wireless networks in the firewall and router configuration standard. CC ID 12434 [Include in the firewall and router configuration standard Current network diagram that identifies all s="term_primary-noun">connections between the cardholder data environment and other networks, including any or:#CBD0E5;" class="term_secondary-verb">-noun">wireless networks. 1.1.2] | Establish/Maintain Documentation | Preventive | |
| Include network diagrams that identify storage or processing locations of all restricted data in the firewall and router configuration standard. CC ID 12426 [Include in the firewall and router configuration standard Current diagram that shows all cardholder data flows across systems and networks. 1.1.3] | Establish/Maintain Documentation | Preventive | |
| Deny or strictly control wireless traffic to applications or databases that contain restricted data or restricted information. CC ID 11847 | Configuration | Preventive | |
| Include a protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 00537 | Establish/Maintain Documentation | Preventive | |
| Configure network ports to organizational standards. CC ID 14007 | Configuration | Preventive | |
| Include approval of the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 12547 | Establish/Maintain Documentation | Preventive | |
| Include the use of protocols above and beyond common information service protocols in the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 00539 | Establish/Maintain Documentation | Preventive | |
| Include justifying the use of risky protocols in the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 01280 [Include in the firewall and router configuration standard Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure. 1.1.6] | Establish/Maintain Documentation | Preventive | |
| Document and implement security features for each identified insecure service, protocol, and port in the protocols, ports, applications, and services list. CC ID 12033 | Establish/Maintain Documentation | Preventive | |
| Identify the insecure services, protocols, and ports in the protocols, ports, applications, and services list in the firewall and router configuration. CC ID 12032 | Establish/Maintain Documentation | Preventive | |
| Install and configure firewalls to be enabled on all mobile devices, if possible. CC ID 00550 [{mobile device} Install personal firewall software on any mobile and/or employee-owned devices that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the network. Firewall configurations include: - Specific configuration settings are defined for personal firewall software. - Personal firewall software is actively running. - Personal firewall software is not alterable by users of mobile and/or employee-owned devices. 1.4 {mobile device} Install personal firewall software on any mobile and/or employee-owned devices that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the network. Firewall configurations include: - Specific configuration settings are defined for personal firewall software. - Personal firewall software is actively running. - Personal firewall software is not alterable by users of mobile and/or employee-owned devices. 1.4] | Configuration | Preventive | |
| Lock personal firewall configurations to prevent them from being disabled or changed by end users. CC ID 06420 [{mobile device} Install personal firewall software on any mobile and/or employee-owned devices that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the network. Firewall configurations include: - Specific configuration settings are defined for personal firewall software. - Personal firewall software is actively running. - Personal firewall software is not alterable by users of mobile and/or employee-owned devices. 1.4] | Technical Security | Preventive | |
| Configure network access and control points to protect restricted data or restricted information. CC ID 01284 [Implement anti-spoofing measures to detect and block forged source IP addresses from entering the network. 1.3.4 Install and maintain a firewall configuration to protect cardholder data. Requirement 1] | Configuration | Preventive | |
| Protect data stored at external locations. CC ID 16333 | Data and Information Management | Preventive | |
| Configure security alerts in firewalls to include the source Internet protocol address and destination Internet protocol address associated with long sessions. CC ID 12174 | Configuration | Detective | |
| Protect the firewall's network connection interfaces. CC ID 01955 | Technical Security | Preventive | |
| Configure firewalls to deny all traffic by default, except explicitly designated traffic. CC ID 00547 [Install perimeter firewalls between all wireless networks and the cardholder data environment, and configure these firewalls to deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment. 1.2.3] | Configuration | Preventive | |
| Allow local program exceptions on the firewall, as necessary. CC ID 01956 | Configuration | Preventive | |
| Allow remote administration exceptions on the firewall, as necessary. CC ID 01957 | Configuration | Preventive | |
| Allow file sharing exceptions on the firewall, as necessary. CC ID 01958 | Configuration | Preventive | |
| Allow printer sharing exceptions on the firewall, as necessary. CC ID 11849 | Configuration | Preventive | |
| Allow Internet Control Message Protocol exceptions on the firewall, as necessary. CC ID 01959 | Configuration | Preventive | |
| Allow Remote Desktop Connection exceptions on the firewall, as necessary. CC ID 01960 | Configuration | Preventive | |
| Allow UPnP framework exceptions on the firewall, as necessary. CC ID 01961 | Configuration | Preventive | |
| Allow notification exceptions on the firewall, as necessary. CC ID 01962 | Configuration | Preventive | |
| Allow unicast response to multicast or broadcast exceptions on the firewall, as necessary. CC ID 01964 | Configuration | Preventive | |
| Allow protocol port exceptions on the firewall, as necessary. CC ID 01965 | Configuration | Preventive | |
| Allow local port exceptions on the firewall, as necessary. CC ID 01966 | Configuration | Preventive | |
| Establish, implement, and maintain ingress address filters on the firewall, as necessary. CC ID 01287 | Configuration | Preventive | |
| Configure firewalls to perform dynamic packet filtering. CC ID 01288 [Implement stateful inspection, also known as dynamic packet filtering. 1.3.6] | Testing | Detective | |
| Establish, implement, and maintain packet filtering requirements. CC ID 16362 | Technical Security | Preventive | |
| Configure firewall filtering to only permit established connections into the network. CC ID 12482 | Technical Security | Preventive | |
| Restrict outbound network traffic from systems that contain restricted data or restricted information. CC ID 01295 [{direct inbound connection} {direct outbound connection} Do not allow any direct connections inbound or outbound for traffic between the Internet and the cardholder data environment. 1.3.3 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet. 1.3.5] | Data and Information Management | Preventive | |
| Deny direct Internet access to databases that store restricted data or restricted information. CC ID 01271 | Data and Information Management | Preventive | |
| Synchronize and secure all router configuration files. CC ID 01291 [Secure and synchronize router configuration files. 1.2.2] | Configuration | Preventive | |
| Synchronize and secure all firewall configuration files. CC ID 11851 | Configuration | Preventive | |
| Configure firewalls to generate an audit log. CC ID 12038 | Audits and Risk Management | Preventive | |
| Configure firewalls to generate an alert when a potential security incident is detected. CC ID 12165 | Configuration | Preventive | |
| Record the configuration rules for network access and control points in the configuration management system. CC ID 12105 | Establish/Maintain Documentation | Preventive | |
| Record the duration of the business need associated with changes to the configuration rules for network access and control points in the configuration management system. CC ID 12107 | Establish/Maintain Documentation | Preventive | |
| Record each individual's name and business need associated with changes to the configuration rules for network access and control points in the configuration management system. CC ID 12106 | Establish/Maintain Documentation | Preventive | |
| Configure network access and control points to organizational standards. CC ID 12442 [{make known} Ensure that security policies and operational procedures for managing firewalls are documented, in imary-verb">use, and known to all affected parties. 1.5] | Configuration | Detective | |
| Install and configure application layer firewalls for all key web-facing applications. CC ID 01450 [For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: - Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes - Installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic. 6.6] | Configuration | Preventive | |
| Update application layer firewalls to the most current version. CC ID 12037 | Process or Activity | Preventive | |
| Enforce information flow control. CC ID 11781 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain information flow control configuration standards. CC ID 01924 | Establish/Maintain Documentation | Preventive | |
| Constrain the information flow of restricted data or restricted information. CC ID 06763 | Data and Information Management | Preventive | |
| Restrict access to restricted data and restricted information on a need to know basis. CC ID 12453 [Restrict access to cardholder data by business need to know Requirement 7] | Data and Information Management | Preventive | |
| Control all methods of remote access and teleworking. CC ID 00559 | Technical Security | Preventive | |
| Implement multifactor authentication techniques. CC ID 00561 [Incorporate two-factor authentication for remote network access originating from outside the network by personnel (including users and administrators) and all third parties, (including vendor access for support or maintenance). 8.3] | Configuration | Preventive | |
| Implement phishing-resistant multifactor authentication techniques. CC ID 16541 | Technical Security | Preventive | |
| Document and approve requests to bypass multifactor authentication. CC ID 15464 | Establish/Maintain Documentation | Preventive | |
| Monitor and evaluate all remote access usage. CC ID 00563 [Manage IDs used by vendors to access, support, or maintain system components via remote access as follows: - Enabled only during the time period needed and disabled when not in use. - Monitored when in use. 8.1.5] | Monitor and Evaluate Occurrences | Detective | |
| Manage the use of encryption controls and cryptographic controls. CC ID 00570 | Technical Security | Preventive | |
| Establish, implement, and maintain an encryption management and cryptographic controls policy. CC ID 04546 [{make known} Ensure that security policies and operational procedures for encrypting transmissions of cardholder data are documented, in use, and known to all affected parties. 4.3] | Establish/Maintain Documentation | Preventive | |
| Refrain from allowing the use of cleartext for input or output of restricted data or restricted information. CC ID 04823 | Configuration | Preventive | |
| Encrypt in scope data or in scope information, as necessary. CC ID 04824 | Data and Information Management | Preventive | |
| Digitally sign records and data, as necessary. CC ID 16507 | Data and Information Management | Preventive | |
| Make key usage for data fields unique for each device. CC ID 04828 | Technical Security | Preventive | |
| Decrypt restricted data for the minimum time required. CC ID 12308 | Data and Information Management | Preventive | |
| Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309 | Data and Information Management | Preventive | |
| Accept only trusted keys and/or certificates. CC ID 11988 | Technical Security | Preventive | |
| Establish, implement, and maintain cryptographic key creation domain parameter requirements. CC ID 06575 | Data and Information Management | Preventive | |
| Define the asymmetric signature field for the CHUID container on identification cards or badges. CC ID 06584 | Process or Activity | Preventive | |
| Implement cryptographic operations and support functions on identification cards or badges. CC ID 06585 | Process or Activity | Preventive | |
| Disseminate and communicate the encryption management and cryptographic controls policy to all interested personnel and affected parties. CC ID 15476 | Communicate | Preventive | |
| Define the format of the biometric data on identification cards or badges. CC ID 06586 | Process or Activity | Preventive | |
| Protect salt values and hash values in accordance with organizational standards. CC ID 16471 | Data and Information Management | Preventive | |
| Provide guidance to customers on how to securely transmit, store, and update cryptographic keys. CC ID 12040 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain cryptographic key management procedures. CC ID 00571 [Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data, including the following: 3.6 Document and implement procedures to protect keys used to secure stored cardholder data against disclosure and misuse. 3.5] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate cryptographic key management procedures to interested personnel and affected parties. CC ID 13164 | Communicate | Preventive | |
| Bind keys to each identity. CC ID 12337 | Technical Security | Preventive | |
| Include recommended cryptographic key management procedures for cloud service providers in the cryptographic key management procedures. CC ID 13152 | Establish/Maintain Documentation | Preventive | |
| Include requesting cryptographic key types in the cryptographic key management procedures. CC ID 13151 | Establish/Maintain Documentation | Preventive | |
| Recover encrypted data for lost cryptographic keys, compromised cryptographic keys, or damaged cryptographic keys. CC ID 01301 | Data and Information Management | Preventive | |
| Generate strong cryptographic keys. CC ID 01299 [{generate} Include in the cryptographic key management procedures Generation of strong cryptographic keys. 3.6.1] | Data and Information Management | Preventive | |
| Generate unique cryptographic keys for each user. CC ID 12169 | Technical Security | Preventive | |
| Use approved random number generators for creating cryptographic keys. CC ID 06574 | Data and Information Management | Preventive | |
| Implement decryption keys so that they are not linked to user accounts. CC ID 06851 [{file-level encryption} {authentication mechanism} If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed separately and independently of native operating system authentication and access control mechanisms (for example, by not using local user account databases or general network login credentials). Decryption keys must not be associated with user accounts. 3.4.1] | Technical Security | Preventive | |
| Include the establishment of cryptographic keys in the cryptographic key management procedures. CC ID 06540 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate cryptographic keys securely. CC ID 01300 [Include in the cryptographic key management procedures Secure cryptographic key distribution. 3.6.2] | Data and Information Management | Preventive | |
| Control the input and output of cryptographic keys from a cryptographic module. CC ID 06541 | Data and Information Management | Preventive | |
| Store cryptographic keys securely. CC ID 01298 [Include in the cryptographic key management procedures Secure cryptographic key storage. 3.6.3 Store cryptographic keys in the fewest possible locations. 3.5.3 {secret key} Store secret and private keys used to encrypt/decrypt cardholder data in one (or more) of the following forms at all times: - Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data-encrypting key - Within a secure cryptographic device (such as a hardware (host) security module (HSM) or PTS-approved point-of-interaction device) - As at least two full-length key components or key shares, in accordance with an industry-accepted method. 3.5.2 {secret key} Store secret and private keys used to encrypt/decrypt cardholder data in one (or more) of the following forms at all times: - Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data-encrypting key - Within a secure cryptographic device (such as a hardware (host) security module (HSM) or PTS-approved point-of-interaction device) - As at least two full-length key components or key shares, in accordance with an industry-accepted method. 3.5.2] | Data and Information Management | Preventive | |
| Restrict access to cryptographic keys. CC ID 01297 [Restrict access to cryptographic keys to the fewest number of custodians necessary. 3.5.1] | Data and Information Management | Preventive | |
| Store cryptographic keys in encrypted format. CC ID 06084 [{secret key} Store secret and private keys used to encrypt/decrypt cardholder data in one (or more) of the following forms at all times: - Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data-encrypting key - Within a secure cryptographic device (such as a hardware (host) security module (HSM) or PTS-approved point-of-interaction device) - As at least two full-length key components or key shares, in accordance with an industry-accepted method. 3.5.2] | Data and Information Management | Preventive | |
| Store key-encrypting keys and data-encrypting keys in different locations. CC ID 06085 [{secret key} Store secret and private keys used to encrypt/decrypt cardholder data in one (or more) of the following forms at all times: - Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data-encrypting key - Within a secure cryptographic device (such as a hardware (host) security module (HSM) or PTS-approved point-of-interaction device) - As at least two full-length key components or key shares, in accordance with an industry-accepted method. 3.5.2] | Technical Security | Preventive | |
| Include offsite backups of cryptographic keys in the cryptographic key management procedures. CC ID 13127 | Establish/Maintain Documentation | Preventive | |
| Change cryptographic keys in accordance with organizational standards. CC ID 01302 [Include in the cryptographic key management procedures Cryptographic key changes for keys that have reached the end of their cryptoperiod (for example, after a defined period of time has passed and/or after a certain amount of cipher-text has been produced by a given key), as defined by the associated application vendor or key owner, and based on industry best practices and guidelines (for example, NIST Special Publication 800-57). 3.6.4] | Data and Information Management | Preventive | |
| Destroy cryptographic keys promptly after the retention period. CC ID 01303 | Data and Information Management | Preventive | |
| Control cryptographic keys with split knowledge and dual control. CC ID 01304 [Include in the cryptographic key management procedures If manual clear-text cryptographic key-management operations are used, these operations must be managed using split knowledge and dual control. 3.6.6] | Data and Information Management | Preventive | |
| Prevent the unauthorized substitution of cryptographic keys. CC ID 01305 [{prevent} Include in the cryptographic key management procedures Prevention of unauthorized substitution of cryptographic keys. 3.6.7] | Data and Information Management | Preventive | |
| Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys. CC ID 06852 | Technical Security | Preventive | |
| Revoke old cryptographic keys or invalid cryptographic keys immediately. CC ID 01307 [{cryptographic key} Include in the cryptographic key management procedures Retirement or replacement (for example, archiving, destruction, and/or revocation) of keys as deemed necessary when the integrity of the key has been weakened (for example, departure of an employee with knowledge of a clear-text key component), or keys are suspected of being compromised. 3.6.5] | Data and Information Management | Corrective | |
| Replace known or suspected compromised cryptographic keys immediately. CC ID 01306 [{cryptographic key} Include in the cryptographic key management procedures Retirement or replacement (for example, archiving, destruction, and/or revocation) of keys as deemed necessary when the integrity of the key has been weakened (for example, departure of an employee with knowledge of a clear-text key component), or keys are suspected of being compromised. 3.6.5] | Data and Information Management | Corrective | |
| Archive outdated cryptographic keys. CC ID 06884 | Data and Information Management | Preventive | |
| Archive revoked cryptographic keys. CC ID 11819 | Data and Information Management | Preventive | |
| Require key custodians to sign the cryptographic key management policy. CC ID 01308 | Establish/Maintain Documentation | Preventive | |
| Require key custodians to sign the key custodian's roles and responsibilities. CC ID 11820 [Include in the cryptographic key management procedures Requirement for cryptographic key custodians to formally acknowledge that they understand and accept their key-custodian responsibilities. 3.6.8] | Human Resources Management | Preventive | |
| Test cryptographic key management applications, as necessary. CC ID 04829 | Testing | Detective | |
| Manage the digital signature cryptographic key pair. CC ID 06576 | Data and Information Management | Preventive | |
| Establish, implement, and maintain requirements for Personal Identity Verification authentication certificates. CC ID 06587 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Public Key certificate application procedures. CC ID 07079 | Establish/Maintain Documentation | Preventive | |
| Establish a Registration Authority to support the Public Key Infrastructure. CC ID 15725 | Establish Roles | Preventive | |
| Include the Identification and Authentication of individuals or entities in the Public Key certificate application procedures. CC ID 07080 | Establish/Maintain Documentation | Preventive | |
| Include approving or rejecting Public Key certificate applications in the Public Key certificate application procedure. CC ID 07081 | Establish/Maintain Documentation | Preventive | |
| Include revocation of Public Key certificates in the Public Key certificate procedures. CC ID 07082 | Establish/Maintain Documentation | Preventive | |
| Publish revoked Public Key certificates in the Certificate Revocation List. CC ID 07089 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Public Key renewal or rekeying request procedures. CC ID 07083 | Establish/Maintain Documentation | Preventive | |
| Include identification and authentication in Public Key renewal or rekeying request procedures. CC ID 11816 | Establish/Maintain Documentation | Preventive | |
| Issue authentication mechanisms that support the Public Key Infrastructure. CC ID 07092 | Technical Security | Preventive | |
| Establish a Root Certification Authority to support the Public Key Infrastructure. CC ID 07084 | Technical Security | Preventive | |
| Establish, implement, and maintain Public Key certificate procedures. CC ID 07085 | Establish/Maintain Documentation | Preventive | |
| Include signing and issuing Public Key certificates in the Public Key certificate procedures. CC ID 11817 | Establish/Maintain Documentation | Preventive | |
| Include publishing Public Key certificates in the Public Key certificate procedures. CC ID 07087 | Establish/Maintain Documentation | Preventive | |
| Include access to issued Public Key certificates in the Public Key certificate procedures. CC ID 07086 | Establish/Maintain Documentation | Preventive | |
| Connect the Public Key Infrastructure to the organization's identity and access management system. CC ID 07091 | Technical Security | Preventive | |
| Archive Public Key certificate records according to organizational Records Management rules. CC ID 07090 | Records Management | Preventive | |
| Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564 [Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components. 8.2.1 Use strong cryptography and security protocols (for example, TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks, including the following: - Only trusted keys and certificates are accepted. - The protocol in use only supports secure versions or configurations. - The encryption strength is appropriate for the encryption methodology in use. 4.1 Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices (for example, IEEE 802.11i) to implement strong encryption for authentication and transmission. 4.1.1 {transmit} Encrypt transmission of cardholder data across open, public networks. Requirement 4] | Technical Security | Preventive | |
| Ensure restricted data or restricted information are encrypted prior to or at the time of transmission. CC ID 01749 | Configuration | Preventive | |
| Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls. CC ID 12492 | Technical Security | Preventive | |
| Encrypt traffic over networks with trusted cryptographic keys. CC ID 12490 | Technical Security | Preventive | |
| Authorize transactions of data transmitted over public networks or shared data networks. CC ID 00566 | Establish/Maintain Documentation | Preventive | |
| Implement non-repudiation for transactions. CC ID 00567 | Testing | Detective | |
| Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416 | Technical Security | Preventive | |
| Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks. CC ID 00568 | Technical Security | Preventive | |
| Protect application services information transmitted over a public network from unauthorized modification. CC ID 12021 | Technical Security | Preventive | |
| Protect application services information transmitted over a public network from unauthorized disclosure. CC ID 12020 | Technical Security | Preventive | |
| Protect application services information transmitted over a public network from contract disputes. CC ID 12019 | Technical Security | Preventive | |
| Protect application services information transmitted over a public network from fraudulent activity. CC ID 12018 | Technical Security | Preventive | |
| Establish, implement, and maintain a malicious code protection program. CC ID 00574 [{make known} Ensure that security policies and operational procedures for protecting systems against malware are documented, in use, and known to all affected parties. 5.4 Protect all systems against malware and regularly update anti-virus software or programs. Requirement 5] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the malicious code protection policy to all interested personnel and affected parties. CC ID 15485 | Communicate | Preventive | |
| Disseminate and communicate the malicious code protection procedures to all interested personnel and affected parties. CC ID 15484 | Communicate | Preventive | |
| Establish, implement, and maintain malicious code protection procedures. CC ID 15483 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a malicious code protection policy. CC ID 15478 | Establish/Maintain Documentation | Preventive | |
| Restrict downloading to reduce malicious code attacks. CC ID 04576 | Behavior | Preventive | |
| Install security and protection software, as necessary. CC ID 00575 [Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers). 5.1] | Configuration | Preventive | |
| Install and maintain container security solutions. CC ID 16178 | Technical Security | Preventive | |
| Scan for malicious code, as necessary. CC ID 11941 [Ensure that all anti-virus mechanisms are maintained as follows: - Are kept current, - Perform periodic scans - Generate audit logs which are retained per PCI DSS Requirement 10.7. 5.2] | Investigate | Detective | |
| Test all removable storage media for viruses and malicious code. CC ID 11861 | Testing | Detective | |
| Test all untrusted files or unverified files for viruses and malicious code. CC ID 01311 | Testing | Detective | |
| Remove malware when malicious code is discovered. CC ID 13691 | Process or Activity | Corrective | |
| Notify interested personnel and affected parties when malware is detected. CC ID 13689 | Communicate | Corrective | |
| Protect the system against replay attacks. CC ID 04552 | Technical Security | Preventive | |
| Define and assign roles and responsibilities for malicious code protection. CC ID 15474 | Establish Roles | Preventive | |
| Establish, implement, and maintain a malicious code outbreak recovery plan. CC ID 01310 | Establish/Maintain Documentation | Corrective | |
| Log and react to all malicious code activity. CC ID 07072 | Monitor and Evaluate Occurrences | Detective | |
| Analyze the behavior and characteristics of the malicious code. CC ID 10672 | Technical Security | Detective | |
| Incorporate the malicious code analysis into the patch management program. CC ID 10673 | Technical Security | Corrective | |
| Lock antivirus configurations. CC ID 10047 [Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period. 5.3] | Configuration | Preventive | |
Third Party and supply chain oversight | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Third Party and supply chain oversight CC ID 08807 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 [Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows: 12.8] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 | Establish/Maintain Documentation | Preventive | |
| Review and update all contracts, as necessary. CC ID 11612 | Establish/Maintain Documentation | Preventive | |
| Terminate supplier relationships, as necessary. CC ID 13489 | Business Processes | Corrective | |
| Document and maintain supply chain processes. CC ID 08816 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an exit plan. CC ID 15492 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the exit plan. CC ID 15497 | Establish/Maintain Documentation | Preventive | |
| Test the exit plan, as necessary. CC ID 15495 | Testing | Preventive | |
| Include contingency plans in the third party management plan. CC ID 10030 | Establish/Maintain Documentation | Preventive | |
| Refrain from placing excessive reliance on third parties that provide support for service continuity. CC ID 12768 | Systems Continuity | Preventive | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Process or Activity | Detective | |
| Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 | Establish/Maintain Documentation | Preventive | |
| Include a description of the product or service to be provided in third party contracts. CC ID 06509 | Establish/Maintain Documentation | Preventive | |
| Include a description of the products or services fees in third party contracts. CC ID 10018 | Establish/Maintain Documentation | Preventive | |
| Include which parties are responsible for which fees in third party contracts. CC ID 10019 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543 | Establish/Maintain Documentation | Preventive | |
| Include the type of information being transmitted in the information flow agreement. CC ID 14245 | Establish/Maintain Documentation | Preventive | |
| Include the security requirements in the information flow agreement. CC ID 14244 | Establish/Maintain Documentation | Preventive | |
| Include the interface characteristics in the information flow agreement. CC ID 14240 | Establish/Maintain Documentation | Preventive | |
| Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528 | Establish/Maintain Documentation | Preventive | |
| Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529 | Establish/Maintain Documentation | Preventive | |
| Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020 | Establish/Maintain Documentation | Preventive | |
| Include a description of the data or information to be covered in third party contracts. CC ID 06510 | Establish/Maintain Documentation | Preventive | |
| Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 | Business Processes | Preventive | |
| Include text about data ownership in third party contracts. CC ID 06502 | Establish/Maintain Documentation | Preventive | |
| Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 | Establish/Maintain Documentation | Preventive | |
| Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 | Establish/Maintain Documentation | Preventive | |
| Include the contract duration in third party contracts. CC ID 16221 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in third party contracts. CC ID 13487 | Establish/Maintain Documentation | Preventive | |
| Include cryptographic keys in third party contracts. CC ID 16179 | Establish/Maintain Documentation | Preventive | |
| Include bankruptcy provisions in third party contracts. CC ID 16519 | Establish/Maintain Documentation | Preventive | |
| Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 | Establish/Maintain Documentation | Preventive | |
| Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 | Establish/Maintain Documentation | Preventive | |
| Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 | Establish/Maintain Documentation | Preventive | |
| Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 | Establish/Maintain Documentation | Preventive | |
| Include a reporting structure in third party contracts. CC ID 06532 | Establish/Maintain Documentation | Preventive | |
| Include points of contact in third party contracts. CC ID 12355 | Establish/Maintain Documentation | Preventive | |
| Include financial reporting in third party contracts, as necessary. CC ID 13573 | Establish/Maintain Documentation | Preventive | |
| Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512 | Establish/Maintain Documentation | Preventive | |
| Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 | Establish/Maintain Documentation | Preventive | |
| Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516 | Establish/Maintain Documentation | Preventive | |
| Include training requirements in third party contracts. CC ID 16367 | Acquisition/Sale of Assets or Services | Preventive | |
| Include an indemnification and liability clause in third party contracts. CC ID 06517 | Establish/Maintain Documentation | Preventive | |
| Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521 | Establish/Maintain Documentation | Preventive | |
| Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522 | Establish/Maintain Documentation | Preventive | |
| Include text regarding foreign-based third parties in third party contracts. CC ID 06722 | Establish/Maintain Documentation | Preventive | |
| Include change control clauses in third party contracts, as necessary. CC ID 06523 | Establish/Maintain Documentation | Preventive | |
| Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115 | Establish/Maintain Documentation | Preventive | |
| Include triggers for renegotiating the contract in third party contracts. CC ID 06527 | Establish/Maintain Documentation | Preventive | |
| Include change control notification processes in third party contracts. CC ID 06524 | Establish/Maintain Documentation | Preventive | |
| Include cost structure changes in third party contracts. CC ID 10021 | Establish/Maintain Documentation | Preventive | |
| Include a choice of venue clause in third party contracts. CC ID 06520 | Establish/Maintain Documentation | Preventive | |
| Include a dispute resolution clause in third party contracts. CC ID 06519 | Establish/Maintain Documentation | Preventive | |
| Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 | Establish/Maintain Documentation | Preventive | |
| Include a termination provision clause in third party contracts. CC ID 01367 | Establish/Maintain Documentation | Detective | |
| Include early termination contingency plans in the third party contracts. CC ID 06526 | Establish/Maintain Documentation | Preventive | |
| Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817 | Establish/Maintain Documentation | Preventive | |
| Include termination costs in third party contracts. CC ID 10023 | Establish/Maintain Documentation | Preventive | |
| Include text about obtaining adequate insurance in third party contracts. CC ID 06880 | Establish/Maintain Documentation | Preventive | |
| Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 | Establish/Maintain Documentation | Preventive | |
| Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 | Establish/Maintain Documentation | Preventive | |
| Include end-of-life information in third party contracts. CC ID 15265 | Establish/Maintain Documentation | Preventive | |
| Include third party requirements for personnel security in third party contracts. CC ID 00790 | Testing | Detective | |
| Establish, implement, and maintain third party transaction authentication procedures. CC ID 00791 | Establish/Maintain Documentation | Preventive | |
| Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 [Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment. 12.8.2 Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment. 12.9] | Testing | Detective | |
| Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 | Testing | Detective | |
| Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 | Establish/Maintain Documentation | Preventive | |
| Establish the third party's service continuity. CC ID 00797 | Testing | Detective | |
| Determine the adequacy of a third party's alternate site preparations. CC ID 06879 | Testing | Detective | |
| Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 [Ensure that each entity only runs processes that have access to that entity’s cardholder data environment. A.1.1] | Data and Information Management | Detective | |
| Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 | Testing | Detective | |
| Include disclosure requirements in third party contracts. CC ID 08825 | Business Processes | Preventive | |
| Include requirements for alternate processing facilities in third party contracts. CC ID 13059 | Establish/Maintain Documentation | Preventive | |
| Document the organization's supply chain in the supply chain management program. CC ID 09958 | Establish/Maintain Documentation | Preventive | |
| Document supply chain dependencies in the supply chain management program. CC ID 08900 | Establish/Maintain Documentation | Detective | |
| Establish and maintain a Third Party Service Provider list. CC ID 12480 | Establish/Maintain Documentation | Preventive | |
| Include required information in the Third Party Service Provider list. CC ID 14429 | Establish/Maintain Documentation | Preventive | |
| Include subcontractors in the Third Party Service Provider list. CC ID 14425 | Establish/Maintain Documentation | Preventive | |
| Include alternate service providers in the Third Party Service Provider list. CC ID 14420 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422 | Communicate | Preventive | |
| Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430 | Establish/Maintain Documentation | Preventive | |
| Include all contract dates in the Third Party Service Provider list. CC ID 14421 | Establish/Maintain Documentation | Preventive | |
| Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481 | Establish/Maintain Documentation | Preventive | |
| Include criticality of services in the Third Party Service Provider list. CC ID 14428 | Establish/Maintain Documentation | Preventive | |
| Include a description of data used in the Third Party Service Provider list. CC ID 14427 | Establish/Maintain Documentation | Preventive | |
| Include the location of services provided in the Third Party Service Provider list. CC ID 14423 | Establish/Maintain Documentation | Preventive | |
| Document supply chain transactions in the supply chain management program. CC ID 08857 | Business Processes | Preventive | |
| Document the supply chain's critical paths in the supply chain management program. CC ID 10032 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain supply chain manufacturing and integration requirements documents for all items being produced for the organization. CC ID 11558 | Establish/Maintain Documentation | Preventive | |
| Disallow access to restricted information on machines used to manufacture authentication elements. CC ID 11561 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain Operational Level Agreements. CC ID 13637 | Establish/Maintain Documentation | Preventive | |
| Include technical processes in operational level agreements, as necessary. CC ID 13639 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838 | Process or Activity | Preventive | |
| Monitor and report on the efficacy of all Service Level Agreements using a Service Level Agreement Monitoring Chart or equivalent. CC ID 00842 | Establish/Maintain Documentation | Detective | |
| Include the responsible party for managing complaints in third party contracts. CC ID 10022 | Establish Roles | Preventive | |
| Approve all Service Level Agreements. CC ID 00843 | Establish/Maintain Documentation | Detective | |
| Track all chargeable items in Service Level Agreements. CC ID 11616 | Business Processes | Detective | |
| Document all chargeable items in Service Level Agreements. CC ID 00844 | Establish/Maintain Documentation | Detective | |
| Enforce third party Service Level Agreements, as necessary. CC ID 07098 | Business Processes | Corrective | |
| Categorize all suppliers in the supply chain management program. CC ID 00792 | Establish/Maintain Documentation | Preventive | |
| Include risk management procedures in the supply chain management policy. CC ID 08811 | Establish/Maintain Documentation | Preventive | |
| Perform risk assessments of third parties, as necessary. CC ID 06454 [Ensure there is an established process for engaging service providers including proper due diligence prior to engagement. 12.8.3] | Testing | Detective | |
| Include a determination of the complexity of the third party relationships in the supply chain risk assessment. CC ID 10024 | Business Processes | Preventive | |
| Include a determination of financial benefits over actual costs of third party relationships in the supply chain risk assessment report. CC ID 10025 | Establish/Maintain Documentation | Preventive | |
| Include a determination of how third party relationships affect strategic initiatives in the supply chain risk assessment report. CC ID 10026 | Establish/Maintain Documentation | Preventive | |
| Include a determination if the third party relationship will affect employees in the supply chain risk assessment report. CC ID 10027 | Business Processes | Preventive | |
| Include a determination of customer interactions with third parties in the supply chain risk assessment report. CC ID 10028 | Establish/Maintain Documentation | Preventive | |
| Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029 | Establish/Maintain Documentation | Preventive | |
| Re-evaluate risk assessments of third parties, as necessary. CC ID 12158 | Audits and Risk Management | Detective | |
| Establish, implement, and maintain a supply chain management policy. CC ID 08808 | Establish/Maintain Documentation | Preventive | |
| Require supply chain members to accept and sign the organization's code of conduct. CC ID 12397 | Business Processes | Preventive | |
| Require third parties to employ a Chief Information Security Officer. CC ID 12057 | Human Resources Management | Preventive | |
| Include supplier assessment principles in the supply chain management policy. CC ID 08809 | Establish/Maintain Documentation | Preventive | |
| Include the third party selection process in the supply chain management policy. CC ID 13132 | Establish/Maintain Documentation | Preventive | |
| Select suppliers based on their qualifications. CC ID 00795 | Establish/Maintain Documentation | Preventive | |
| Include refraining from depending on any individual third party in the supply chain management policy. CC ID 13133 | Establish/Maintain Documentation | Preventive | |
| Include a clear management process in the supply chain management policy. CC ID 08810 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the supply chain management policy. CC ID 15499 | Establish/Maintain Documentation | Preventive | |
| Include third party due diligence standards in the supply chain management policy. CC ID 08812 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the supply chain management policy to all interested personnel and affected parties. CC ID 15493 | Communicate | Preventive | |
| Require suppliers to commit to the supply chain management policy. CC ID 08813 | Establish/Maintain Documentation | Preventive | |
| Support third parties in building their capabilities. CC ID 08814 | Business Processes | Preventive | |
| Implement measurable improvement plans with all third parties. CC ID 08815 | Business Processes | Preventive | |
| Post a list of compliant third parties on the organization's website. CC ID 08817 | Business Processes | Preventive | |
| Use third parties that are compliant with the applicable requirements. CC ID 08818 [Shared hosting providers must protect the cardholder data environment Requirement A.1] | Business Processes | Preventive | |
| Establish, implement, and maintain a conflict minerals policy. CC ID 08943 | Establish/Maintain Documentation | Preventive | |
| Include a statement of avoided areas from receiving minerals in the conflict minerals policy. CC ID 08944 | Establish/Maintain Documentation | Preventive | |
| Include all in scope materials in the conflict minerals policy. CC ID 08945 | Establish/Maintain Documentation | Preventive | |
| Include adherence to international transportation regulations in the conflict minerals policy. CC ID 08946 | Establish/Maintain Documentation | Preventive | |
| Include all applicable authority documents in the conflict minerals policy. CC ID 08947 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the conflict minerals policy to all interested personnel and affected parties. CC ID 08948 | Establish/Maintain Documentation | Preventive | |
| Make the conflict minerals policy Publicly Available Information. CC ID 08949 | Data and Information Management | Preventive | |
| Establish and maintain a conflict materials report. CC ID 08823 | Establish/Maintain Documentation | Preventive | |
| Define documentation requirements for each potential conflict material's source of origin. CC ID 08820 | Establish/Maintain Documentation | Preventive | |
| Define documentation requirements for smelted minerals and legacy refined materials sources of origin. CC ID 08821 | Establish/Maintain Documentation | Preventive | |
| Identify supply sources for secondary materials. CC ID 08822 | Business Processes | Preventive | |
| Deal directly with third parties that provide any material listed in the conflict materials report. CC ID 08891 | Business Processes | Preventive | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 | Business Processes | Preventive | |
| Assess third parties' compliance environment during due diligence. CC ID 13134 | Process or Activity | Detective | |
| Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888 [Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity. 12.8.5] | Establish/Maintain Documentation | Detective | |
| Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 | Communicate | Preventive | |
| Include the audit scope in the third party external audit report. CC ID 13138 | Establish/Maintain Documentation | Preventive | |
| Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063 | Establish/Maintain Documentation | Detective | |
| Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065 | Establish/Maintain Documentation | Detective | |
Common Controls andEach Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
Acquisition/Sale of Assets or Services | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861 | Operational management | Preventive | |
| Employ tools and mechanisms to support the organization's Incident Response program. CC ID 13182 | Operational management | Preventive | |
| Perform a feasibility study for product requests. CC ID 06895 | Systems design, build, and implementation | Preventive | |
| Prioritize opportunities to improve the product and service lifecycle process. CC ID 06898 | Systems design, build, and implementation | Preventive | |
| Include training requirements in third party contracts. CC ID 16367 | Third Party and supply chain oversight | Preventive | |
Actionable Reports or Measurements | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Monitor and evaluate system telemetry data. CC ID 14929 | Monitoring and measurement | Detective | |
| Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657 | Monitoring and measurement | Detective | |
| Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658 | Monitoring and measurement | Detective | |
| Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659 | Monitoring and measurement | Detective | |
| Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571 | Monitoring and measurement | Detective | |
| Report on the policies and controls that have been implemented by management. CC ID 01670 | Monitoring and measurement | Detective | |
| Report on the percentage of security management roles that have been assigned. CC ID 01671 | Monitoring and measurement | Detective | |
| Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672 | Monitoring and measurement | Detective | |
| Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675 | Monitoring and measurement | Detective | |
| Report on the Service Level Agreement performance of supply chain members. CC ID 06838 | Monitoring and measurement | Preventive | |
| Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 | Monitoring and measurement | Detective | |
| Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 | Monitoring and measurement | Detective | |
| Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 | Monitoring and measurement | Detective | |
| Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677 | Monitoring and measurement | Detective | |
| Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069 | Monitoring and measurement | Detective | |
| Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 | Monitoring and measurement | Detective | |
| Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070 | Monitoring and measurement | Detective | |
| Report on the percentage of audit findings that have been resolved since the last audit. CC ID 01678 | Monitoring and measurement | Detective | |
| Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071 | Monitoring and measurement | Detective | |
| Monitor compliance with the Quality Control system. CC ID 01023 | Monitoring and measurement | Preventive | |
| Report on the percentage of complaints received about products or delivered services. CC ID 07199 | Monitoring and measurement | Preventive | |
| Report on the percentage of Quality Assurance attained by Quality Improvement practices. CC ID 07202 | Monitoring and measurement | Preventive | |
| Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted. CC ID 01679 | Monitoring and measurement | Detective | |
| Report on the percentage of personnel who are assigned and acknowledged responsibilities for approved policies, standards, and procedures. CC ID 01680 | Monitoring and measurement | Detective | |
| Report on the percentage of policy compliance reviews for which no compliance violations were noted. CC ID 01681 | Monitoring and measurement | Detective | |
| Report on the percentage of senior management or business unit heads who have implemented operational compliance procedures. CC ID 01682 | Monitoring and measurement | Detective | |
| Report on the percentage of role descriptions that define the Information Awareness roles for Security Managers and administrators. CC ID 01685 | Monitoring and measurement | Detective | |
| Report on the percentage of role descriptions that define the information awareness roles for interested personnel. CC ID 01686 | Monitoring and measurement | Detective | |
| Report on the percentage of role descriptions that define the information awareness roles for end users. CC ID 01687 | Monitoring and measurement | Detective | |
| Report on the percentage of performance reviews that include the evaluation of Information Assurance responsibilities and policy compliance. CC ID 01688 | Monitoring and measurement | Detective | |
| Report on the percentage of individuals who have access to security software, are trained, and authorized Security Administrators. CC ID 01691 | Monitoring and measurement | Detective | |
| Report on the percentage of individuals who are able to assign security privileges, are trained, and authorized Security Administrators. CC ID 01692 | Monitoring and measurement | Detective | |
| Report on the percentage of new hires who completed training ahead of being granted network access or system access. CC ID 01683 | Monitoring and measurement | Detective | |
| Report on the percentage of personnel who have completed periodic Information Assurance refresher training. CC ID 01684 | Monitoring and measurement | Detective | |
| Report on the percentage of user roles, systems, and applications that comply with the segregation of duties principle. CC ID 01689 | Monitoring and measurement | Detective | |
| Report on the percentage of individuals whose access rights have been reviewed. CC ID 01690 | Monitoring and measurement | Detective | |
| Report on the percentage of users who have access to restricted data or restricted information and have undergone a background check. CC ID 01693 | Monitoring and measurement | Detective | |
| Report on the percentage of critical information assets and information-dependent functions. CC ID 02040 | Monitoring and measurement | Detective | |
| Report on the percentage of critical assets and functions for which the cost of compromise has been quantified. CC ID 02041 | Monitoring and measurement | Detective | |
| Report on the percentage of identified risks that have a defined risk mitigation plan. CC ID 02042 | Monitoring and measurement | Detective | |
| Report on the percentage of systems with approved System Security Plans. CC ID 02145 | Monitoring and measurement | Detective | |
| Report on the percentage of known Information Security risks that are related to supply chain relationships. CC ID 02044 | Monitoring and measurement | Detective | |
| Report on the percentage of critical information assets or critical functions for which access by supply chain personnel is disallowed. CC ID 02045 | Monitoring and measurement | Detective | |
| Report on the percentage of supply chain personnel who have current information asset user privileges. CC ID 02046 | Monitoring and measurement | Detective | |
| Report on the percentage of systems with critical information assets or functions for which electronic connection by supply chain assets is disallowed. CC ID 02047 | Monitoring and measurement | Detective | |
| Report on the percentage of security incidents that involved supply chain personnel. CC ID 02048 | Monitoring and measurement | Detective | |
| Report on the percentage of third party contracts that include a requirement to externally verify policies and procedures. CC ID 02049 | Monitoring and measurement | Detective | |
| Report on the percentage of supply chain relationships that have been reviewed for compliance with information security requirements. CC ID 02050 | Monitoring and measurement | Detective | |
| Report on the percentage of information assets that have been reviewed and classified. CC ID 02053 | Monitoring and measurement | Detective | |
| Report on the percentage of information assets with defined user privileges that have been assigned based on role and according to policy. CC ID 02054 | Monitoring and measurement | Detective | |
| Report on the percentage of scheduled Information Technology inventory processes that occurred on time. CC ID 02055 | Monitoring and measurement | Detective | |
| Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated. CC ID 02060 | Monitoring and measurement | Detective | |
| Report on the percentage of system architecture changes that were approved through appropriate change requests. CC ID 02061 | Monitoring and measurement | Detective | |
| Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062 | Monitoring and measurement | Detective | |
| Report on the percentage of systems that have been recertified if security controls were updated after the system was developed. CC ID 02142 | Monitoring and measurement | Detective | |
| Report on the percentage of systems that have completed Certification and Accreditation. CC ID 02143 | Monitoring and measurement | Detective | |
| Report on the percentage of critical organizational information assets and functions that have been reviewed from the risk to physical security perspective. CC ID 02064 | Monitoring and measurement | Detective | |
| Report on the percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented. CC ID 02065 | Monitoring and measurement | Detective | |
| Report on the percentage of critical assets that have been reviewed from the environmental risk perspective. CC ID 02066 | Monitoring and measurement | Detective | |
| Report on the percentage of servers located in controlled access areas. CC ID 02067 | Monitoring and measurement | Detective | |
| Establish, implement, and maintain environmental management system performance metrics. CC ID 15191 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain waste management metrics. CC ID 16152 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain emissions management metrics. CC ID 16145 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain financial management metrics. CC ID 16749 | Monitoring and measurement | Preventive | |
| Report on the percentage of unique active user identifiers. CC ID 02074 | Monitoring and measurement | Detective | |
| Report on the percentage of systems and applications that perform authenticator policy verification. CC ID 02086 | Monitoring and measurement | Detective | |
| Report on the percentage of active user passwords that are set to expire. CC ID 02087 | Monitoring and measurement | Detective | |
| Report on the percentage of systems with critical information assets that use stronger authentication than user identifiers and passwords. CC ID 02088 | Monitoring and measurement | Detective | |
| Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089 | Monitoring and measurement | Detective | |
| Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090 | Monitoring and measurement | Detective | |
| Report on the percentage of systems with account lockout thresholds set. CC ID 02091 | Monitoring and measurement | Detective | |
| Report on the percentage of inactive user accounts that have been disabled. CC ID 02092 | Monitoring and measurement | Detective | |
| Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093 | Monitoring and measurement | Detective | |
| Report on the percentage of users with access to shared accounts. CC ID 04573 | Monitoring and measurement | Detective | |
| Establish, implement, and maintain a user and administrator privilege management metrics program. CC ID 02076 | Monitoring and measurement | Preventive | |
| Report on the percentage of active computer accounts that have had the current user privileges reviewed. CC ID 02094 | Monitoring and measurement | Detective | |
| Report on the percentage of systems where permission to install nonstandard software is limited. CC ID 02095 | Monitoring and measurement | Detective | |
| Report on the percentage of systems and applications that have user privileges and administrator privileges assigned in compliance with Role-Based Access Controls. CC ID 02096 | Monitoring and measurement | Detective | |
| Report on the percentage of systems for which approved configuration settings have been implemented. CC ID 02097 | Monitoring and measurement | Detective | |
| Report on the percentage of systems with configurations that do not deviate from approved standards. CC ID 02098 | Monitoring and measurement | Detective | |
| Report on the percentage of systems that are continuously monitored for compliance with the configuration standard with out-of-compliance alarms or out-of-compliance reports. CC ID 02099 | Monitoring and measurement | Detective | |
| Report on the percentage of systems whose configuration is compared with a previously established trusted configuration baseline. CC ID 02100 | Monitoring and measurement | Detective | |
| Report on the percentage of systems where the authority to make configuration changes are limited. CC ID 02101 | Monitoring and measurement | Detective | |
| Report on the percentage of system components that undergo maintenance as scheduled. CC ID 04562 | Monitoring and measurement | Detective | |
| Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105 | Monitoring and measurement | Detective | |
| Report on the percentage of laptops and mobile devices that are needing to be in compliance with the approved configuration standard before granting network access. CC ID 02106 | Monitoring and measurement | Detective | |
| Report on the percentage of organizationally controlled communications channels that have been secured. CC ID 02107 | Monitoring and measurement | Detective | |
| Report on the percentage of host servers that are protected from becoming relay hosts. CC ID 02108 | Monitoring and measurement | Detective | |
| Report on the percentage of mobile users who access organizational facilities using secure communications methods. CC ID 02109 | Monitoring and measurement | Detective | |
| Report on the percentage of workstations and laptops that employ automated system security tools. CC ID 02110 | Monitoring and measurement | Detective | |
| Report on the percentage of servers that employ automated system security tools. CC ID 02111 | Monitoring and measurement | Detective | |
| Report on the percentage of mobile devices that employ automated system security tools. CC ID 02112 | Monitoring and measurement | Detective | |
| Report on the percentage of software changes that have been documented and approved through change request forms. CC ID 02152 | Monitoring and measurement | Detective | |
| Report on the percentage of systems with all approved patches installed. CC ID 02113 | Monitoring and measurement | Detective | |
| Report on the mean time from patch availability to patch installation. CC ID 02114 | Monitoring and measurement | Detective | |
| Report on the percentage of software changes that were reviewed for security impacts before the software configuration is updated. CC ID 02115 | Monitoring and measurement | Detective | |
| Report on the percentage of systems configured according to the configuration standard. CC ID 02116 | Monitoring and measurement | Detective | |
| Report on the percentage of network access controls used to gain unauthorized access. CC ID 04572 | Monitoring and measurement | Detective | |
| Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms. CC ID 02117 | Monitoring and measurement | Detective | |
| Report on the percentage of mobile devices that use encryption for critical information assets. CC ID 02118 | Monitoring and measurement | Detective | |
| Report on the percentage of passwords and Personal Identification Numbers that are encrypted. CC ID 02119 | Monitoring and measurement | Detective | |
| Report on the percentage of media that passes sanitization procedure testing. CC ID 04574 | Monitoring and measurement | Detective | |
| Report on the percentage of systems with critical information assets or critical business functions that have been backed up in accordance with the backup policy and the system's continuity plan. CC ID 02120 | Monitoring and measurement | Detective | |
| Report on the percentage of systems with critical information assets or critical functions where restoration from a backup has been successfully demonstrated. CC ID 02121 | Monitoring and measurement | Detective | |
| Report on the percentage of backup media stored off site in secure storage. CC ID 02122 | Monitoring and measurement | Detective | |
| Report on the percentage of used backup media or archive media sanitized prior to reuse or disposal. CC ID 02123 | Monitoring and measurement | Detective | |
| Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 | Monitoring and measurement | Detective | |
| Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 | Monitoring and measurement | Detective | |
| Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124 | Monitoring and measurement | Detective | |
| Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125 | Monitoring and measurement | Detective | |
| Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126 | Monitoring and measurement | Detective | |
| Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127 | Monitoring and measurement | Detective | |
| Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 | Monitoring and measurement | Detective | |
| Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128 | Monitoring and measurement | Detective | |
| Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129 | Monitoring and measurement | Detective | |
| Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140 | Monitoring and measurement | Detective | |
| Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564 | Monitoring and measurement | Detective | |
| Report on the percentage of unique patients who had at least one medication entered using the Computerized Provider Order Entry system. CC ID 06222 | Monitoring and measurement | Preventive | |
| Report on the percentage of unique patients who have diagnoses recorded as structured data into the current and active diagnoses problem list. CC ID 06223 | Monitoring and measurement | Preventive | |
| Report on the percentage of permissible prescriptions that are transmitted electronically. CC ID 06224 | Monitoring and measurement | Preventive | |
| Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication list. CC ID 06225 | Monitoring and measurement | Preventive | |
| Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication allergy list. CC ID 06226 | Monitoring and measurement | Preventive | |
| Report on the percentage of unique patients who have demographics recorded as structured data. CC ID 06227 | Monitoring and measurement | Preventive | |
| Report on the percentage of unique patients over the age of 2 who have their height, weight, and blood pressure recorded as structured data. CC ID 06228 | Monitoring and measurement | Preventive | |
| Report on the percentage of unique patients over the age of 13 who have their smoking status recorded as structured data. CC ID 06229 | Monitoring and measurement | Preventive | |
| Report on the percentage of patients who are given an electronic copy of their Individually Identifiable Health Information not later than three business days after Individually Identifiable Health Information is requested. CC ID 06230 | Monitoring and measurement | Preventive | |
| Report on the percentage of patients who are given clinical summaries not later than three business days after a physician office visit. CC ID 06231 | Monitoring and measurement | Preventive | |
| Report on the percentage of lab test results that are incorporated into the Electronic Health Records as structured data. CC ID 06232 | Monitoring and measurement | Preventive | |
| Report on the percentage of patients sixty-five years of age or older or five years of age or younger who were sent a reminder. CC ID 06233 | Monitoring and measurement | Preventive | |
| Report on the percentage of unique patients who are given electronic access to their Individually Identifiable Health Information not later than four business days after their Individually Identifiable Health Information is updated. CC ID 06234 | Monitoring and measurement | Preventive | |
| Report on the percentage of unique patients who are given patient-specific education resources. CC ID 06235 | Monitoring and measurement | Preventive | |
| Report on the percentage of medication reconciliations that are performed if a patient is received from another setting or healthcare provider. CC ID 06236 | Monitoring and measurement | Preventive | |
| Report on the percentage of summary of care records that are provided for transitions of care or referrals for patients who are transitioned or referred to another setting or healthcare provider. CC ID 06237 | Monitoring and measurement | Preventive | |
| Report on the percentage of patients who receive their discharge instructions if discharge instructions are requested. CC ID 06238 | Monitoring and measurement | Preventive | |
| Report on the percentage of patients 65 years of age or older who have an indication of advance directive status recorded as structured data. CC ID 06239 | Monitoring and measurement | Preventive | |
| Measure policy compliance when reviewing the internal control framework. CC ID 06442 | Operational management | Corrective | |
| Refrain from including restricted information in the incident response notification. CC ID 16806 | Operational management | Preventive | |
| Mitigate reported incidents. CC ID 12973 | Operational management | Preventive | |
| Disseminate and communicate the final incident report, which includes the investigation results and any remediation activity results. CC ID 12306 | Operational management | Preventive | |
| Document the results of incident response tests and provide them to senior management. CC ID 14857 | Operational management | Preventive | |
Audits and Risk Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Address operational anomalies within the incident management system. CC ID 11633 | Monitoring and measurement | Preventive | |
| Incorporate an Identity Theft Prevention Program into the organization's incident management system. CC ID 11634 | Monitoring and measurement | Preventive | |
| Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424 | Monitoring and measurement | Preventive | |
| Verify segmentation controls are operational and effective. CC ID 12545 | Monitoring and measurement | Detective | |
| Identify information being used to support performance reviews for risk optimization. CC ID 12865 | Monitoring and measurement | Preventive | |
| Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 | Monitoring and measurement | Preventive | |
| Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 [Implement a risk-assessment process that: - Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.), - Identifies critical assets, threats, and vulnerabilities, and - Results in a formal, documented analysis of risk. 12.2] | Audits and risk management | Preventive | |
| Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 | Audits and risk management | Preventive | |
| Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 | Audits and risk management | Preventive | |
| Review the risk to the audit function when the audit personnel status changes. CC ID 01153 | Audits and risk management | Preventive | |
| Conduct external audits of risk assessments, as necessary. CC ID 13308 | Audits and risk management | Detective | |
| Configure firewalls to generate an audit log. CC ID 12038 | Technical security | Preventive | |
| Conduct external audits of the physical security plan. CC ID 13314 | Physical and environmental protection | Detective | |
| Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809 | Operational management | Preventive | |
| Re-evaluate risk assessments of third parties, as necessary. CC ID 12158 | Third Party and supply chain oversight | Detective | |
Behavior | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Protect each person's right to privacy and civil liberties during intrusion management operations. CC ID 10035 | Monitoring and measurement | Preventive | |
| Do not intercept communications of any kind when providing a service to clients. CC ID 09985 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a testing program. CC ID 00654 [{make known} Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties. 11.6 {make known} Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties. 11.6] | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a penetration test program. CC ID 01105 | Monitoring and measurement | Preventive | |
| Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748 | Monitoring and measurement | Corrective | |
| Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 | Monitoring and measurement | Corrective | |
| Revoke asset access when a personnel status change occurs or an individual is terminated. CC ID 00516 [Immediately revoke access for any terminated users. 8.1.3 Control physical access for onsite personnel to sensitive areas as follows: - Access must be authorized and based on individual job function. - Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled. 9.3] | Technical security | Corrective | |
| Review and update accounts and access rights when notified of personnel status changes. CC ID 00788 | Technical security | Corrective | |
| Restrict downloading to reduce malicious code attacks. CC ID 04576 | Technical security | Preventive | |
| Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311 | Physical and environmental protection | Preventive | |
| Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702 | Physical and environmental protection | Preventive | |
| Manage constituent identification inside the facility. CC ID 02215 | Physical and environmental protection | Preventive | |
| Issue visitor identification badges to all non-employees. CC ID 00543 [Include in the visitor identification procedures Visitors are identified and given a badge or other identification that expires and that visibly distinguishes the visitors from onsite personnel. 9.4.2] | Physical and environmental protection | Preventive | |
| Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331 [Include in the visitor identification procedures Visitors are asked to surrender the badge or identification before leaving the facility or at the date of expiration. 9.4.3] | Physical and environmental protection | Preventive | |
| Require all visitors to sign out of the visitor log before the exit of a visitor from the facility. CC ID 06649 | Physical and environmental protection | Preventive | |
| Refrain from search and seizure inside organizational facilities absent a warrant. CC ID 09980 | Physical and environmental protection | Preventive | |
| Disallow either search or seizure of any person inside organizational facilities absent a warrant. CC ID 09981 | Physical and environmental protection | Preventive | |
| Disallow inspecting computers or searching computer records inside organizational facilities absent a warrant. CC ID 09983 | Physical and environmental protection | Preventive | |
| Do nothing to help during a search and seizure inside organizational facilities absent a warrant and being legally compelled to assist. CC ID 09984 | Physical and environmental protection | Preventive | |
| Require removable storage media be in the custody of an authorized individual. CC ID 12319 | Physical and environmental protection | Preventive | |
| Request the return of all appropriate assets upon notification of a personnel status change. CC ID 06678 | Physical and environmental protection | Preventive | |
| Require the return of all assets upon notification an individual is terminated. CC ID 06679 [Control physical access for onsite personnel to sensitive areas as follows: - Access must be authorized and based on individual job function. - Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled. 9.3] | Physical and environmental protection | Preventive | |
| Prohibit the use of recording devices near restricted data or restricted information, absent authorization. CC ID 04598 | Physical and environmental protection | Preventive | |
| Prohibit usage of cell phones near restricted data or restricted information, absent authorization. CC ID 06354 | Physical and environmental protection | Preventive | |
| Prohibit mobile device usage near restricted data or restricted information, absent authorization. CC ID 04597 | Physical and environmental protection | Preventive | |
| Notify customers about payment card usage security measures. CC ID 06407 | Physical and environmental protection | Preventive | |
| Disseminate and communicate critical third party dependencies to interested personnel and affected parties. CC ID 06816 | Operational and Systems Continuity | Preventive | |
| Train all new hires, as necessary. CC ID 06673 [{retrain} Educate personnel upon hire and at least annually. 12.6.1] | Human Resources management | Preventive | |
| Train all personnel and third parties, as necessary. CC ID 00785 | Human Resources management | Preventive | |
| Retrain all personnel, as necessary. CC ID 01362 [{retrain} Educate personnel upon hire and at least annually. 12.6.1] | Human Resources management | Preventive | |
| Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 | Human Resources management | Preventive | |
| Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 | Human Resources management | Preventive | |
| Conduct secure coding and development training for developers. CC ID 06822 [Address common coding vulnerabilities in software-development processes as follows: - Train developers in secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory. - Develop applications based on secure coding guidelines. 6.5] | Human Resources management | Corrective | |
| Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties. CC ID 06955 | Operational management | Preventive | |
| Make compliance and governance decisions in a timely manner. CC ID 06490 | Operational management | Preventive | |
| Refrain from accepting instant messages from unknown senders. CC ID 12537 | Operational management | Preventive | |
| Include employee engagement in the analysis of the organizational culture. CC ID 12914 | Operational management | Preventive | |
| Include skill development in the analysis of the organizational culture. CC ID 12913 | Operational management | Preventive | |
| Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 | Operational management | Preventive | |
| Include employee loyalty in the analysis of the organizational culture. CC ID 12911 | Operational management | Preventive | |
| Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 | Operational management | Preventive | |
| Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 [{make known} Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties. 1.5 {make known} Ensure that security policies and operational procedures for monitoring all access to network resources and cardholder data are documented, in use, and known to all affected parties. 10.8 {make known} Ensure that security policies and operational procedures for identification and authentication are documented, in use, and known to all affected parties. 8.8 {make known} Ensure that security policies and operational procedures for developing and maintaining secure systems and applications are documented, in use, and known to all affected parties. 6.7 {make known} Ensure that security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties. 7.3 {make known} Ensure that security policies and operational procedures for protecting systems against malware are documented, in use, and known to all affected parties. 5.4 {make known} Ensure that security policies and operational procedures for protecting stored cardholder data are documented, in use, and known to all affected parties. 3.7 {make known} Ensure that security policies and operational procedures for encrypting transmissions of cardholder data are documented, in use, and known to all affected parties. 4.3 {make known} Ensure that security policies and operational procedures for restricting physical access to cardholder data are documented, in use, and known to all affected parties. 9.10] | Operational management | Preventive | |
| Respond to all alerts from security systems in a timely manner. CC ID 06434 [Implement a process to respond to any alerts generated by the change-detection solution. 11.5.1] | Operational management | Corrective | |
| Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 | Operational management | Corrective | |
| Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 | Operational management | Detective | |
| Delay sending incident response notifications under predetermined conditions. CC ID 00804 | Operational management | Corrective | |
| Avoid false positive incident response notifications. CC ID 04732 | Operational management | Detective | |
| Send paper incident response notifications to affected parties, as necessary. CC ID 00366 | Operational management | Corrective | |
| Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 | Operational management | Corrective | |
| Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 | Operational management | Corrective | |
| Telephone incident response notifications to affected parties, as necessary. CC ID 04650 | Operational management | Corrective | |
| Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 | Operational management | Preventive | |
| Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 | Operational management | Preventive | |
| Publish the incident response notification in a general circulation periodical. CC ID 04651 | Operational management | Corrective | |
| Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 | Operational management | Preventive | |
| Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 | Operational management | Corrective | |
| Incorporate simulated events into the incident response training program. CC ID 06751 | Operational management | Preventive | |
| Incorporate realistic exercises that are tested into the incident response training program. CC ID 06753 | Operational management | Preventive | |
| Maintain contact with breach notification organizations for notification purposes in the event a privacy breach has occurred. CC ID 01213 | Operational management | Preventive | |
| Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 | Operational management | Preventive | |
| Manage the system implementation process. CC ID 01115 | Systems design, build, and implementation | Preventive | |
Business Processes | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467 [Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) s="term_secondary-verb">approved by the Payment Card Industry Security Standards Council (PCI SSC). Perform rescans as needed, until passing scans are achieved. 11.2.2] | Monitoring and measurement | Preventive | |
| Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866 | Monitoring and measurement | Preventive | |
| Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 | Monitoring and measurement | Detective | |
| Establish, implement, and maintain an identification and classification of information assets metrics program. CC ID 02052 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a physical environment metrics program. CC ID 02063 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a user identification and authentication metrics program. CC ID 02073 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a user account management metrics program. CC ID 02075 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a Configuration Management metrics program. CC ID 02077 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a communications, e-mail, and remote access security management metrics program. CC ID 02079 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a malicious code protection management metrics program. CC ID 02080 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a software change management metrics program. CC ID 02081 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a network management and firewall management metrics program. CC ID 02082 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a data encryption management metrics program. CC ID 02083 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a backup management and recovery management metrics program. CC ID 02084 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 | Monitoring and measurement | Preventive | |
| Include an appeal process in the identification issuance procedures. CC ID 15428 | Physical and environmental protection | Preventive | |
| Disallow copying or excerpting from documents, books, or records that are on or in the premises of an organizational facility absent a warrant. CC ID 09982 | Physical and environmental protection | Preventive | |
| Transport restricted media using a delivery method that can be tracked. CC ID 11777 [Send the media by secured courier or other delivery method that can be accurately tracked. 9.6.2] | Physical and environmental protection | Preventive | |
| Require users to refrain from leaving mobile devices unattended. CC ID 16446 | Physical and environmental protection | Preventive | |
| Refrain from distributing returned cards to staff with the responsibility for payment card issuance. CC ID 13572 | Physical and environmental protection | Preventive | |
| Activate payment cards sent to customers upon receiving instructions to activate the payment card. CC ID 13052 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain an education methodology. CC ID 06671 | Human Resources management | Preventive | |
| Manage cloud services. CC ID 13144 | Operational management | Preventive | |
| Establish, implement, and maintain a positive information control environment. CC ID 00813 | Operational management | Preventive | |
| Define the scope for the internal control framework. CC ID 16325 | Operational management | Preventive | |
| Review the relevance of information supporting internal controls. CC ID 12420 | Operational management | Detective | |
| Assign resources to implement the internal control framework. CC ID 00816 | Operational management | Preventive | |
| Establish, implement, and maintain a baseline of internal controls. CC ID 12415 | Operational management | Preventive | |
| Leverage actionable information to support internal controls. CC ID 12414 | Operational management | Preventive | |
| Align the information security policy with the organization's risk acceptance level. CC ID 13042 | Operational management | Preventive | |
| Establish, implement, and maintain information security procedures. CC ID 12006 | Operational management | Preventive | |
| Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Operational management | Preventive | |
| Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Operational management | Preventive | |
| Establish, implement, and maintain information sharing agreements. CC ID 15645 | Operational management | Preventive | |
| Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 | Operational management | Preventive | |
| Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 | Operational management | Preventive | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 [{make known} Ensure that security policies and operational procedures for monitoring all access to network resources and cardholder data are documented, in use, and known to all affected parties. 10.8 {make known} Ensure that security policies and operational procedures for identification and authentication are documented, in use, and known to all affected parties. 8.8 {make known} Ensure that security policies and operational procedures for developing and maintaining secure systems and applications are documented, in use, and known to all affected parties. 6.7 {make known} Ensure that security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties. 7.3 {make known} Ensure that security policies and operational procedures for protecting systems against malware are documented, in use, and known to all affected parties. 5.4 {make known} Ensure that security policies and operational procedures for protecting stored cardholder data are documented, in use, and known to all affected parties. 3.7 {make known} Ensure that security policies and operational procedures for encrypting transmissions of cardholder data are documented, in use, and known to all affected parties. 4.3 {make known} Ensure that security policies and operational procedures for restricting physical access to cardholder data are documented, in use, and known to all affected parties. 9.10] | Operational management | Preventive | |
| Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 | Operational management | Preventive | |
| Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 | Operational management | Preventive | |
| Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 | Operational management | Preventive | |
| Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 | Operational management | Preventive | |
| Review systems for compliance with organizational information security policies. CC ID 12004 | Operational management | Preventive | |
| Establish, implement, and maintain an Asset Management program. CC ID 06630 | Operational management | Preventive | |
| Classify virtual systems by type and purpose. CC ID 16332 | Operational management | Preventive | |
| Establish, implement, and maintain an asset inventory. CC ID 06631 [Maintain an up-to-date list of devices. The list should include the following: - Make, model of device - Location of device (for example, the address of the site or facility where the device is located) - Device serial number or other method of unique identification. 9.9.1] | Operational management | Preventive | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 | Operational management | Preventive | |
| Refrain from charging for providing incident response notifications. CC ID 13876 | Operational management | Preventive | |
| Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Operational management | Corrective | |
| Analyze and respond to security alerts. CC ID 12504 | Operational management | Detective | |
| Include the reimbursement of customers for financial losses due to incidents in the Incident Response program. CC ID 12756 | Operational management | Preventive | |
| Collect evidence from the incident scene. CC ID 02236 | Operational management | Corrective | |
| Manage change requests. CC ID 00887 | Operational management | Preventive | |
| Implement changes according to the change control program. CC ID 11776 [Follow change control processes and procedures for all changes to system components. The processes must include the following: 6.4] | Operational management | Preventive | |
| Establish, implement, and maintain configuration control and Configuration Status Accounting. CC ID 00863 | System hardening through configuration management | Preventive | |
| Approve the configuration management plan. CC ID 14717 | System hardening through configuration management | Preventive | |
| Change the authenticator for shared accounts when the group membership changes. CC ID 14249 | System hardening through configuration management | Corrective | |
| Use approved media sanitization equipment for destruction. CC ID 16459 | Records management | Preventive | |
| Remove test data prior to promoting the system to a production environment. CC ID 12494 [Remove development, test and/or custom application accounts, user IDs, and passwords before applications become active or are released to customers. 6.3.1 {remove} The change control processes must include Removal of test data and accounts before production systems become active. 6.4.4] | Systems design, build, and implementation | Preventive | |
| Terminate supplier relationships, as necessary. CC ID 13489 | Third Party and supply chain oversight | Corrective | |
| Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 | Third Party and supply chain oversight | Preventive | |
| Include disclosure requirements in third party contracts. CC ID 08825 | Third Party and supply chain oversight | Preventive | |
| Document supply chain transactions in the supply chain management program. CC ID 08857 | Third Party and supply chain oversight | Preventive | |
| Track all chargeable items in Service Level Agreements. CC ID 11616 | Third Party and supply chain oversight | Detective | |
| Enforce third party Service Level Agreements, as necessary. CC ID 07098 | Third Party and supply chain oversight | Corrective | |
| Include a determination of the complexity of the third party relationships in the supply chain risk assessment. CC ID 10024 | Third Party and supply chain oversight | Preventive | |
| Include a determination if the third party relationship will affect employees in the supply chain risk assessment report. CC ID 10027 | Third Party and supply chain oversight | Preventive | |
| Require supply chain members to accept and sign the organization's code of conduct. CC ID 12397 | Third Party and supply chain oversight | Preventive | |
| Support third parties in building their capabilities. CC ID 08814 | Third Party and supply chain oversight | Preventive | |
| Implement measurable improvement plans with all third parties. CC ID 08815 | Third Party and supply chain oversight | Preventive | |
| Post a list of compliant third parties on the organization's website. CC ID 08817 | Third Party and supply chain oversight | Preventive | |
| Use third parties that are compliant with the applicable requirements. CC ID 08818 [Shared hosting providers must protect the cardholder data environment Requirement A.1] | Third Party and supply chain oversight | Preventive | |
| Identify supply sources for secondary materials. CC ID 08822 | Third Party and supply chain oversight | Preventive | |
| Deal directly with third parties that provide any material listed in the conflict materials report. CC ID 08891 | Third Party and supply chain oversight | Preventive | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 | Third Party and supply chain oversight | Preventive | |
Communicate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Disseminate and communicate the audit and accountability policy to interested personnel and affected parties. CC ID 14095 | Monitoring and measurement | Preventive | |
| Disseminate and communicate the audit and accountability procedures to interested personnel and affected parties. CC ID 14137 | Monitoring and measurement | Preventive | |
| Disseminate and communicate information to customers about clock synchronization methods used by the organization. CC ID 13044 | Monitoring and measurement | Preventive | |
| Disseminate and communicate monitoring capabilities with interested personnel and affected parties. CC ID 13156 | Monitoring and measurement | Preventive | |
| Disseminate and communicate statistics on resource usage with interested personnel and affected parties. CC ID 13155 | Monitoring and measurement | Preventive | |
| Notify the appropriate personnel after identifying dormant accounts. CC ID 12125 | Monitoring and measurement | Detective | |
| Report inappropriate usage of user accounts to the appropriate personnel. CC ID 14243 | Monitoring and measurement | Detective | |
| Disseminate and communicate the security assessment and authorization policy to interested personnel and affected parties. CC ID 14218 | Monitoring and measurement | Preventive | |
| Disseminate and communicate security assessment and authorization procedures to interested personnel and affected parties. CC ID 14224 | Monitoring and measurement | Preventive | |
| Share conformity assessment results with affected parties and interested personnel. CC ID 15113 | Monitoring and measurement | Preventive | |
| Notify affected parties and interested personnel of technical documentation assessment certificates that have been issued. CC ID 15112 | Monitoring and measurement | Preventive | |
| Notify affected parties and interested personnel of technical documentation assessment certificates that have been refused, withdrawn, suspended or restricted. CC ID 15111 | Monitoring and measurement | Preventive | |
| Disseminate and communicate the testing program to all interested personnel and affected parties. CC ID 11871 [{make known} Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties. 11.6] | Monitoring and measurement | Preventive | |
| Disseminate and communicate the vulnerability scan results to interested personnel and affected parties. CC ID 16418 | Monitoring and measurement | Preventive | |
| Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 | Monitoring and measurement | Preventive | |
| Delay the reporting of incident management metrics, as necessary. CC ID 15501 | Monitoring and measurement | Preventive | |
| Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 | Audits and risk management | Preventive | |
| Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 | Audits and risk management | Preventive | |
| Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 | Technical security | Corrective | |
| Notify interested personnel when user accounts are added or deleted. CC ID 14327 | Technical security | Detective | |
| Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442 | Technical security | Preventive | |
| Disseminate and communicate the access control procedures to all interested personnel and affected parties. CC ID 14123 | Technical security | Corrective | |
| Disseminate and communicate the identification and authentication policy to interested personnel and affected parties. CC ID 14197 | Technical security | Preventive | |
| Disseminate and communicate the identification and authentication procedures to interested personnel and affected parties. CC ID 14223 | Technical security | Preventive | |
| Notify a user when an authenticator for a user account is changed. CC ID 13820 | Technical security | Preventive | |
| Authorize the disclosure of private Internet Protocol addresses and routing information to external entities. CC ID 12034 | Technical security | Preventive | |
| Disseminate and communicate the encryption management and cryptographic controls policy to all interested personnel and affected parties. CC ID 15476 | Technical security | Preventive | |
| Disseminate and communicate cryptographic key management procedures to interested personnel and affected parties. CC ID 13164 | Technical security | Preventive | |
| Disseminate and communicate the malicious code protection policy to all interested personnel and affected parties. CC ID 15485 | Technical security | Preventive | |
| Disseminate and communicate the malicious code protection procedures to all interested personnel and affected parties. CC ID 15484 | Technical security | Preventive | |
| Notify interested personnel and affected parties when malware is detected. CC ID 13689 | Technical security | Corrective | |
| Report damaged property to interested personnel and affected parties. CC ID 13702 | Physical and environmental protection | Corrective | |
| Alert interested personnel and affected parties when evidence of tampering is discovered. CC ID 15319 | Physical and environmental protection | Preventive | |
| Post floor plans of critical facilities in secure locations. CC ID 16138 | Physical and environmental protection | Preventive | |
| Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461 | Physical and environmental protection | Preventive | |
| Disseminate and communicate the media protection policy to interested personnel and affected parties. CC ID 14165 | Physical and environmental protection | Preventive | |
| Disseminate and communicate the media protection procedures to interested personnel and affected parties. CC ID 14186 | Physical and environmental protection | Preventive | |
| Disseminate and communicate the asset removal policy to interested personnel and affected parties. CC ID 13160 | Physical and environmental protection | Preventive | |
| Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Human Resources management | Preventive | |
| Notify cloud customers of the geographic locations of the cloud service organization and its assets. CC ID 13037 | Operational management | Preventive | |
| Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809 | Operational management | Preventive | |
| Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625 | Operational management | Preventive | |
| Share security information with interested personnel and affected parties. CC ID 11732 | Operational management | Preventive | |
| Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 | Operational management | Preventive | |
| Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835 | Operational management | Preventive | |
| Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Operational management | Preventive | |
| Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 [Establish, publish, maintain, and disseminate a security policy. 12.1] | Operational management | Preventive | |
| Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 | Operational management | Preventive | |
| Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 | Operational management | Preventive | |
| Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 | Operational management | Preventive | |
| Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 | Operational management | Preventive | |
| Submit written requests to delay the notification of affected parties. CC ID 16783 | Operational management | Preventive | |
| Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Operational management | Corrective | |
| Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Operational management | Preventive | |
| Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Operational management | Corrective | |
| Submit the incident response report to the proper authorities in a timely manner. CC ID 12705 | Operational management | Preventive | |
| Disseminate and communicate the cyber incident response plan to interested personnel and affected parties. CC ID 16838 | Operational management | Preventive | |
| Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 | Operational management | Corrective | |
| Assign the distribution of incident response procedures to the appropriate role in the incident response program. CC ID 12474 [Formally assign information security responsibilities for: Establish, document, and distribute</span> security incident response and escalation procedures to ensure timely and effective handling of all situations. 12.5.3] | Operational management | Preventive | |
| Disseminate and communicate the incident response policy to interested personnel and affected parties. CC ID 14099 | Operational management | Preventive | |
| Contact affected parties to participate in forensic investigations, as necessary. CC ID 12343 | Operational management | Detective | |
| Disseminate and communicate the configuration management procedures to interested personnel and affected parties. CC ID 14139 | System hardening through configuration management | Preventive | |
| Disseminate and communicate the configuration management policy to interested personnel and affected parties. CC ID 14066 | System hardening through configuration management | Preventive | |
| Disseminate and communicate the configuration management program to all interested personnel and affected parties. CC ID 11946 [{make known} Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties. 2.5] | System hardening through configuration management | Preventive | |
| Disseminate and communicate the System Development Life Cycle program to all interested personnel and affected parties. CC ID 15469 | Systems design, build, and implementation | Preventive | |
| Disseminate and communicate the system design specification to all interested personnel and affected parties. CC ID 15468 | Systems design, build, and implementation | Preventive | |
| Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422 | Third Party and supply chain oversight | Preventive | |
| Disseminate and communicate the supply chain management policy to all interested personnel and affected parties. CC ID 15493 | Third Party and supply chain oversight | Preventive | |
| Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 | Third Party and supply chain oversight | Preventive | |
Configuration | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Protect continuous security management systems from unauthorized use. CC ID 13097 | Monitoring and measurement | Preventive | |
| Install and maintain an Intrusion Detection System and/or Intrusion Prevention System. CC ID 00581 [{intrusion-detection technique} {keep up to date} Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises. Keep all intrusion-detection and prevention engines, baselines, and signatures up to date. 11.4] | Monitoring and measurement | Preventive | |
| Document the event information to be logged in the event information log specification. CC ID 00639 | Monitoring and measurement | Preventive | |
| Enable the logging capability to capture enough information to ensure the system is functioning according to its intended purpose throughout its life cycle. CC ID 15001 | Monitoring and measurement | Preventive | |
| Enable and configure logging on all network access controls. CC ID 01963 | Monitoring and measurement | Preventive | |
| Synchronize system clocks to an accurate and universal time source on all devices. CC ID 01340 [Using time-synchronization technology, synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distributing, and storing time. 10.4 Use time-synchronization technology to ensure Critical systems have the correct and consistent time. 10.4.1] | Monitoring and measurement | Preventive | |
| Centralize network time servers to as few as practical. CC ID 06308 | Monitoring and measurement | Preventive | |
| Deny network access to rogue devices until network access approval has been received. CC ID 11852 | Monitoring and measurement | Preventive | |
| Isolate rogue devices after a rogue device has been detected. CC ID 07061 | Monitoring and measurement | Corrective | |
| Update the vulnerability scanners' vulnerability list. CC ID 10634 | Monitoring and measurement | Corrective | |
| Test in scope systems for compliance with the Configuration Baseline Documentation Record. CC ID 12130 | Monitoring and measurement | Detective | |
| Disallow the use of payment applications when a vulnerability scan report indicates vulnerabilities are present. CC ID 12188 | Monitoring and measurement | Corrective | |
| Enforce dual authorization as a part of information flow control for logs. CC ID 10098 | Monitoring and measurement | Preventive | |
| Match user accounts to authorized parties. CC ID 12126 | Technical security | Detective | |
| Configure access control lists in accordance with organizational standards. CC ID 16465 | Technical security | Preventive | |
| Disallow application IDs from running as privileged users. CC ID 10050 | Technical security | Detective | |
| Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 | Technical security | Preventive | |
| Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 | Technical security | Preventive | |
| Establish, implement, and maintain session lock capabilities. CC ID 01417 | Technical security | Preventive | |
| Limit concurrent sessions according to account type. CC ID 01416 | Technical security | Preventive | |
| Configure the "tlsverify" argument to organizational standards. CC ID 14460 | Technical security | Preventive | |
| Configure the "tlscacert" argument to organizational standards. CC ID 14521 | Technical security | Preventive | |
| Configure the "tlscert" argument to organizational standards. CC ID 14520 | Technical security | Preventive | |
| Configure the "tlskey" argument to organizational standards. CC ID 14519 | Technical security | Preventive | |
| Enable access control for objects and users on each system. CC ID 04553 [{physical control} Where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.), use of these mechanisms must be assigned as follows: - Authentication mechanisms must be assigned to an individual account and not shared among multiple accounts. - Physical and/or logical controls must be in place to ensure only the intended account can use that mechanism to gain access. 8.6 Define access needs for each role, including: - System components and data resources that each role needs to access for their job function - Level of privilege required (for example, user, administrator, etc.) for accessing resources. 7.1.1 Identify and authenticate access to system components Requirement 8] | Technical security | Preventive | |
| Display previous logon information in the logon banner. CC ID 01415 | Technical security | Preventive | |
| Encrypt files and move them to a secure file server when a user account is disabled. CC ID 07065 | Technical security | Preventive | |
| Limit superuser accounts to designated System Administrators. CC ID 06766 | Technical security | Preventive | |
| Grant access to authorized personnel or systems. CC ID 12186 | Technical security | Preventive | |
| Assign authenticators to user accounts. CC ID 06855 [In addition to assigning a unique ID, ensure proper user-authentication management for non-consumer users and administrators on all system components by employing at least one of the following methods to authenticate all users: - Something you know, such as a password or passphrase - Something you have, such as a token device or smart card - Something you are, such as a biometric. 8.2] | Technical security | Preventive | |
| Assign authentication mechanisms for user account authentication. CC ID 06856 [In addition to assigning a unique ID, ensure proper user-authentication management for non-consumer users and administrators on all system components by employing at least one of the following methods to authenticate all users: - Something you know, such as a password or passphrase - Something you have, such as a token device or smart card - Something you are, such as a biometric. 8.2] | Technical security | Preventive | |
| Limit account credential reuse as a part of digital identification procedures. CC ID 12357 | Technical security | Preventive | |
| Tune the biometric identification equipment, as necessary. CC ID 07077 | Technical security | Corrective | |
| Place firewalls between all security domains and between any Demilitarized Zone and internal network zones. CC ID 01274 | Technical security | Preventive | |
| Place firewalls between wireless networks and applications or databases that contain restricted data or restricted information. CC ID 01293 [Install perimeter firewalls between all wireless networks and the cardholder data environment, and configure these firewalls to deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment. 1.2.3] | Technical security | Preventive | |
| Place firewalls between all security domains and between any secure subnet and internal network zones. CC ID 11784 | Technical security | Preventive | |
| Establish, implement, and maintain a firewall and router configuration standard. CC ID 00541 [{make known} Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties. 1.5] | Technical security | Preventive | |
| Deny or strictly control wireless traffic to applications or databases that contain restricted data or restricted information. CC ID 11847 | Technical security | Preventive | |
| Configure network ports to organizational standards. CC ID 14007 | Technical security | Preventive | |
| Install and configure firewalls to be enabled on all mobile devices, if possible. CC ID 00550 [{mobile device} Install personal firewall software on any mobile and/or employee-owned devices that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the network. Firewall configurations include: - Specific configuration settings are defined for personal firewall software. - Personal firewall software is actively running. - Personal firewall software is not alterable by users of mobile and/or employee-owned devices. 1.4 {mobile device} Install personal firewall software on any mobile and/or employee-owned devices that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the network. Firewall configurations include: - Specific configuration settings are defined for personal firewall software. - Personal firewall software is actively running. - Personal firewall software is not alterable by users of mobile and/or employee-owned devices. 1.4] | Technical security | Preventive | |
| Configure network access and control points to protect restricted data or restricted information. CC ID 01284 [Implement anti-spoofing measures to detect and block forged source IP addresses from entering the network. 1.3.4 Install and maintain a firewall configuration to protect cardholder data. Requirement 1] | Technical security | Preventive | |
| Configure security alerts in firewalls to include the source Internet protocol address and destination Internet protocol address associated with long sessions. CC ID 12174 | Technical security | Detective | |
| Configure firewalls to deny all traffic by default, except explicitly designated traffic. CC ID 00547 [Install perimeter firewalls between all wireless networks and the cardholder data environment, and configure these firewalls to deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment. 1.2.3] | Technical security | Preventive | |
| Allow local program exceptions on the firewall, as necessary. CC ID 01956 | Technical security | Preventive | |
| Allow remote administration exceptions on the firewall, as necessary. CC ID 01957 | Technical security | Preventive | |
| Allow file sharing exceptions on the firewall, as necessary. CC ID 01958 | Technical security | Preventive | |
| Allow printer sharing exceptions on the firewall, as necessary. CC ID 11849 | Technical security | Preventive | |
| Allow Internet Control Message Protocol exceptions on the firewall, as necessary. CC ID 01959 | Technical security | Preventive | |
| Allow Remote Desktop Connection exceptions on the firewall, as necessary. CC ID 01960 | Technical security | Preventive | |
| Allow UPnP framework exceptions on the firewall, as necessary. CC ID 01961 | Technical security | Preventive | |
| Allow notification exceptions on the firewall, as necessary. CC ID 01962 | Technical security | Preventive | |
| Allow unicast response to multicast or broadcast exceptions on the firewall, as necessary. CC ID 01964 | Technical security | Preventive | |
| Allow protocol port exceptions on the firewall, as necessary. CC ID 01965 | Technical security | Preventive | |
| Allow local port exceptions on the firewall, as necessary. CC ID 01966 | Technical security | Preventive | |
| Establish, implement, and maintain ingress address filters on the firewall, as necessary. CC ID 01287 | Technical security | Preventive | |
| Synchronize and secure all router configuration files. CC ID 01291 [Secure and synchronize router configuration files. 1.2.2] | Technical security | Preventive | |
| Synchronize and secure all firewall configuration files. CC ID 11851 | Technical security | Preventive | |
| Configure firewalls to generate an alert when a potential security incident is detected. CC ID 12165 | Technical security | Preventive | |
| Configure network access and control points to organizational standards. CC ID 12442 [{make known} Ensure that security policies and operational procedures for managing firewalls are documented, in imary-verb">use, and known to all affected parties. 1.5] | Technical security | Detective | |
| Install and configure application layer firewalls for all key web-facing applications. CC ID 01450 [For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: - Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes - Installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic. 6.6] | Technical security | Preventive | |
| Implement multifactor authentication techniques. CC ID 00561 [Incorporate two-factor authentication for remote network access originating from outside the network by personnel (including users and administrators) and all third parties, (including vendor access for support or maintenance). 8.3] | Technical security | Preventive | |
| Refrain from allowing the use of cleartext for input or output of restricted data or restricted information. CC ID 04823 | Technical security | Preventive | |
| Ensure restricted data or restricted information are encrypted prior to or at the time of transmission. CC ID 01749 | Technical security | Preventive | |
| Install security and protection software, as necessary. CC ID 00575 [Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers). 5.1] | Technical security | Preventive | |
| Lock antivirus configurations. CC ID 10047 [Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period. 5.3] | Technical security | Preventive | |
| Disallow disabling tamper detection and response mechanisms, absent authorization. CC ID 12211 | Physical and environmental protection | Preventive | |
| Prevent security mechanisms from being compromised by adverse physical conditions. CC ID 12215 | Physical and environmental protection | Preventive | |
| Install doors so that exposed hinges are on the secured side. CC ID 06687 | Physical and environmental protection | Preventive | |
| Install emergency doors to permit egress only. CC ID 06688 | Physical and environmental protection | Preventive | |
| Install contact alarms on doors, as necessary. CC ID 06710 | Physical and environmental protection | Preventive | |
| Use locks with electronic authentication systems or cipher locks, as necessary. CC ID 06650 | Physical and environmental protection | Preventive | |
| Install contact alarms on openable windows, as necessary. CC ID 06690 | Physical and environmental protection | Preventive | |
| Install glass break alarms on windows, as necessary. CC ID 06691 | Physical and environmental protection | Preventive | |
| Configure video cameras to cover all physical entry points. CC ID 06302 | Physical and environmental protection | Preventive | |
| Configure video cameras to prevent physical tampering or disablement. CC ID 06303 | Physical and environmental protection | Preventive | |
| Design interior walls that provide security to extend from true floor to true ceiling. CC ID 06693 | Physical and environmental protection | Preventive | |
| Serialize all removable storage media. CC ID 00949 | Physical and environmental protection | Preventive | |
| Prohibit wireless technology usage near restricted data or restricted information, absent authorization. CC ID 08706 | Physical and environmental protection | Preventive | |
| Provide a physical disconnect of collaborative computing devices in a way that supports ease of use. CC ID 06769 | Physical and environmental protection | Preventive | |
| Enable network jacks at the patch panel, as necessary. CC ID 06305 | Physical and environmental protection | Preventive | |
| Automate threat assessments, as necessary. CC ID 06877 | Operational management | Preventive | |
| Automate vulnerability management, as necessary. CC ID 11730 | Operational management | Preventive | |
| Disallow systems from processing information, disseminating and communicating information, or storing information that is above the system's assigned asset classification. CC ID 06606 | Operational management | Preventive | |
| Deploy software patches in accordance with organizational standards. CC ID 07032 [Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release. 6.2] | Operational management | Corrective | |
| Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174 | Operational management | Corrective | |
| Remove outdated software after software has been updated. CC ID 11792 | Operational management | Corrective | |
| Verify configuration files requiring passwords for automation do not contain those passwords after the installation process is complete. CC ID 06555 | System hardening through configuration management | Preventive | |
| Employ the Configuration Management program. CC ID 11904 [{make known} Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties. 2.5] | System hardening through configuration management | Preventive | |
| Document external connections for all systems. CC ID 06415 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain configuration standards for all systems based upon industry best practices. CC ID 11953 [Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. 2.2] | System hardening through configuration management | Preventive | |
| Apply configuration standards to all systems, as necessary. CC ID 12503 | System hardening through configuration management | Preventive | |
| Document and justify system hardening standard exceptions. CC ID 06845 | System hardening through configuration management | Preventive | |
| Configure automatic logoff to terminate the sessions based on inactivity according to organizational standards. CC ID 04490 | System hardening through configuration management | Preventive | |
| Display an explicit logout message when disconnecting an authenticated communications session. CC ID 10093 | System hardening through configuration management | Preventive | |
| Change default configurations, as necessary. CC ID 00877 [Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network. 2.1 For wireless environments connected to the cardholder data environment or transmitting cardholder data, change ALL wireless vendor defaults at installation, including but not limited to default wireless encryption keys, passwords, and SNMP community strings. 2.1.1] | System hardening through configuration management | Preventive | |
| Configure custom security parameters for X-Windows. CC ID 02168 | System hardening through configuration management | Preventive | |
| Configure custom security settings for Lotus Domino. CC ID 02171 | System hardening through configuration management | Preventive | |
| Configure custom security settings for the Automated Security Enhancement Tool. CC ID 02177 | System hardening through configuration management | Preventive | |
| Configure custom Security settings for Sun Answerbook2. CC ID 02178 | System hardening through configuration management | Preventive | |
| Configure custom security settings for Command (PROM) Monitor. CC ID 02180 | System hardening through configuration management | Preventive | |
| Configure and secure each interface for Executive Interfaces. CC ID 02182 | System hardening through configuration management | Preventive | |
| Reconfigure the default settings and configure the system security for Site Management Complex. CC ID 02183 | System hardening through configuration management | Preventive | |
| Configure the unisys executive (GENNED) GEN tags. CC ID 02184 | System hardening through configuration management | Preventive | |
| Reconfigure the default Console Mode privileges. CC ID 02189 | System hardening through configuration management | Preventive | |
| Restrict access to security-related Console Mode key-in groups based on the security profiles. CC ID 02190 | System hardening through configuration management | Preventive | |
| Configure security profiles for the various Console Mode levels. CC ID 02191 | System hardening through configuration management | Preventive | |
| Configure custom access privileges for all mapper files. CC ID 02194 | System hardening through configuration management | Preventive | |
| Configure custom access privileges for the PSERVER configuration file. CC ID 02195 | System hardening through configuration management | Preventive | |
| Configure custom access privileges for the DEPCON configuration file. CC ID 02196 | System hardening through configuration management | Preventive | |
| Disable the default NetWare user web page unless absolutely necessary. CC ID 04447 | System hardening through configuration management | Preventive | |
| Enable and reset the primary administrator names, primary administrator passwords, root names, and root passwords. CC ID 04448 | System hardening through configuration management | Preventive | |
| Remove unnecessary documentation or unprotected documentation from installed applications. CC ID 04452 | System hardening through configuration management | Preventive | |
| Complete the NetWare eGuide configuration. CC ID 04449 | System hardening through configuration management | Preventive | |
| Verify the usr/aset/masters/uid_aliases file exists and contains an appropriate aliases list. CC ID 04902 | System hardening through configuration management | Preventive | |
| Set the low security directory list properly. CC ID 04903 | System hardening through configuration management | Preventive | |
| Set the medium security directory list properly. CC ID 04904 | System hardening through configuration management | Preventive | |
| Set the high security directory list properly. CC ID 04905 | System hardening through configuration management | Preventive | |
| Set the UID aliases pointer properly. CC ID 04906 | System hardening through configuration management | Preventive | |
| Reconfigure the encryption keys from their default setting or previous setting. CC ID 06079 [For wireless environments connected to the cardholder data environment or transmitting cardholder data, change ALL wireless vendor defaults at installation, including but not limited to default wireless encryption keys, passwords, and SNMP community strings. 2.1.1] | System hardening through configuration management | Preventive | |
| Change the default Service Set Identifier for Wireless Access Points and wireless bridges. CC ID 06086 | System hardening through configuration management | Preventive | |
| Revoke public execute privileges for all processes or applications that allow such privileges. CC ID 06568 | System hardening through configuration management | Preventive | |
| Configure the system's booting configuration. CC ID 10656 | System hardening through configuration management | Preventive | |
| Configure the system to boot directly to the correct Operating System. CC ID 04509 | System hardening through configuration management | Preventive | |
| Verify an appropriate bootloader is used. CC ID 04900 | System hardening through configuration management | Preventive | |
| Configure the ability to boot from USB devices, as appropriate. CC ID 04901 | System hardening through configuration management | Preventive | |
| Configure the system to boot from hardware enforced read-only media. CC ID 10657 | System hardening through configuration management | Preventive | |
| Configure Simple Network Management Protocol (SNMP) to organizational standards. CC ID 12423 | System hardening through configuration management | Preventive | |
| Change the community string for Simple Network Management Protocol, as necessary. CC ID 01872 [For wireless environments connected to the cardholder data environment or transmitting cardholder data, change ALL wireless vendor defaults at installation, including but not limited to default wireless encryption keys, passwords, and SNMP community strings. 2.1.1] | System hardening through configuration management | Preventive | |
| Configure the system's storage media. CC ID 10618 | System hardening through configuration management | Preventive | |
| Configure the system's electronic storage media's encryption settings. CC ID 11927 [Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components. 8.2.1] | System hardening through configuration management | Preventive | |
| Remove all unnecessary functionality. CC ID 00882 [Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers. 2.2.5] | System hardening through configuration management | Preventive | |
| Find and eradicate unauthorized world writable files. CC ID 01541 | System hardening through configuration management | Preventive | |
| Strip dangerous/unneeded SUID/SGID system executables. CC ID 01542 | System hardening through configuration management | Preventive | |
| Find and eradicate unauthorized SUID/SGID system executables. CC ID 01543 | System hardening through configuration management | Preventive | |
| Find and eradicate unowned files and unowned directories. CC ID 01544 | System hardening through configuration management | Preventive | |
| Disable logon prompts on serial ports. CC ID 01553 | System hardening through configuration management | Preventive | |
| Disable "nobody" access for Secure RPC. CC ID 01554 | System hardening through configuration management | Preventive | |
| Disable all unnecessary interfaces. CC ID 04826 | System hardening through configuration management | Preventive | |
| Enable or disable all unused USB ports as appropriate. CC ID 06042 | System hardening through configuration management | Preventive | |
| Disable all user-mounted removable file systems. CC ID 01536 | System hardening through configuration management | Preventive | |
| Set the Bluetooth Security Mode to the organizational standard. CC ID 00587 | System hardening through configuration management | Preventive | |
| Secure the Bluetooth headset connections. CC ID 00593 | System hardening through configuration management | Preventive | |
| Disable automatic dial-in access to computers that have installed modems. CC ID 02036 | System hardening through configuration management | Preventive | |
| Configure the "Turn off AutoPlay" setting. CC ID 01787 | System hardening through configuration management | Preventive | |
| Configure the "Devices: Restrict floppy access to locally logged on users only" setting. CC ID 01732 | System hardening through configuration management | Preventive | |
| Configure the "Devices: Restrict CD-ROM access to locally logged on users" setting. CC ID 01731 | System hardening through configuration management | Preventive | |
| Configure the "Remove CD Burning features" setting. CC ID 04379 | System hardening through configuration management | Preventive | |
| Disable Autorun. CC ID 01790 | System hardening through configuration management | Preventive | |
| Disable USB devices (aka hotplugger). CC ID 01545 | System hardening through configuration management | Preventive | |
| Enable or disable all unused auxiliary ports as appropriate. CC ID 06414 | System hardening through configuration management | Preventive | |
| Remove rhosts support unless absolutely necessary. CC ID 01555 | System hardening through configuration management | Preventive | |
| Remove weak authentication services from Pluggable Authentication Modules. CC ID 01556 | System hardening through configuration management | Preventive | |
| Remove the /etc/hosts.equiv file. CC ID 01559 | System hardening through configuration management | Preventive | |
| Create the /etc/ftpd/ftpusers file. CC ID 01560 | System hardening through configuration management | Preventive | |
| Remove the X Wrapper and enable the X Display Manager. CC ID 01564 | System hardening through configuration management | Preventive | |
| Remove empty crontab files and restrict file permissions to the file. CC ID 01571 | System hardening through configuration management | Preventive | |
| Remove all compilers and assemblers from the system. CC ID 01594 | System hardening through configuration management | Preventive | |
| Disable all unnecessary applications unless otherwise noted in a policy exception. CC ID 04827 | System hardening through configuration management | Preventive | |
| Disable the storing of movies in cache in Apple's QuickTime. CC ID 04489 | System hardening through configuration management | Preventive | |
| Install and enable file sharing utilities, as necessary. CC ID 02174 | System hardening through configuration management | Preventive | |
| Disable boot services unless boot services are absolutely necessary. CC ID 01481 | System hardening through configuration management | Preventive | |
| Disable File Services for Macintosh unless File Services for Macintosh are absolutely necessary. CC ID 04279 | System hardening through configuration management | Preventive | |
| Configure the Trivial FTP Daemon service to organizational standards. CC ID 01484 | System hardening through configuration management | Preventive | |
| Disable printer daemons or the printer service unless printer daemons or the printer service is absolutely necessary. CC ID 01487 | System hardening through configuration management | Preventive | |
| Disable web server unless web server is absolutely necessary. CC ID 01490 | System hardening through configuration management | Preventive | |
| Disable portmapper unless portmapper is absolutely necessary. CC ID 01492 | System hardening through configuration management | Preventive | |
| Disable writesrv, pmd, and httpdlite unless writesrv, pmd, and httpdlite are absolutely necessary. CC ID 01498 | System hardening through configuration management | Preventive | |
| Disable hwscan hardware detection unless hwscan hardware detection is absolutely necessary. CC ID 01504 | System hardening through configuration management | Preventive | |
| Configure the “xinetd” service to organizational standards. CC ID 01509 | System hardening through configuration management | Preventive | |
| Configure the /etc/xinetd.conf file permissions as appropriate. CC ID 01568 | System hardening through configuration management | Preventive | |
| Disable inetd unless inetd is absolutely necessary. CC ID 01508 | System hardening through configuration management | Preventive | |
| Disable Network Computing System unless it is absolutely necessary. CC ID 01497 | System hardening through configuration management | Preventive | |
| Disable print server for macintosh unless print server for macintosh is absolutely necessary. CC ID 04284 | System hardening through configuration management | Preventive | |
| Disable Print Server unless Print Server is absolutely necessary. CC ID 01488 | System hardening through configuration management | Preventive | |
| Disable ruser/remote login/remote shell/rcp command, unless it is absolutely necessary. CC ID 01480 | System hardening through configuration management | Preventive | |
| Disable xfsmd unless xfsmd is absolutely necessary. CC ID 02179 | System hardening through configuration management | Preventive | |
| Disable RPC-based services unless RPC-based services are absolutely necessary. CC ID 01455 | System hardening through configuration management | Preventive | |
| Disable netfs script unless netfs script is absolutely necessary. CC ID 01495 | System hardening through configuration management | Preventive | |
| Disable Remote Procedure Calls unless Remote Procedure Calls are absolutely necessary and if enabled, set restrictions. CC ID 01456 | System hardening through configuration management | Preventive | |
| Configure the "RPC Endpoint Mapper Client Authentication" setting. CC ID 04327 | System hardening through configuration management | Preventive | |
| Disable ncpfs Script unless ncpfs Script is absolutely necessary. CC ID 01494 | System hardening through configuration management | Preventive | |
| Disable sendmail server unless sendmail server is absolutely necessary. CC ID 01511 | System hardening through configuration management | Preventive | |
| Disable postfix unless postfix is absolutely necessary. CC ID 01512 | System hardening through configuration management | Preventive | |
| Disable directory server unless directory server is absolutely necessary. CC ID 01464 | System hardening through configuration management | Preventive | |
| Disable Windows-compatibility client processes unless Windows-compatibility client processes are absolutely necessary. CC ID 01471 | System hardening through configuration management | Preventive | |
| Disable Windows-compatibility servers unless Windows-compatibility servers are absolutely necessary. CC ID 01470 | System hardening through configuration management | Preventive | |
| Configure the “Network File System” server to organizational standards CC ID 01472 | System hardening through configuration management | Preventive | |
| Configure NFS to respond or not as appropriate to NFS client requests that do not include a User ID. CC ID 05981 | System hardening through configuration management | Preventive | |
| Configure NFS with appropriate authentication methods. CC ID 05982 | System hardening through configuration management | Preventive | |
| Configure the "AUTH_DES authentication mechanism" for "NFS server" setting to organizational standards. CC ID 08971 | System hardening through configuration management | Preventive | |
| Configure the "AUTH_KERB authentication mechanism" for "NFS server" setting to organizational standards. CC ID 08972 | System hardening through configuration management | Preventive | |
| Configure the "AUTH_NONE authentication mechanism" for "NFS server" setting to organizational standards. CC ID 08973 | System hardening through configuration management | Preventive | |
| Configure the "AUTH_UNIX authentication mechanism" for "NFS server" setting to organizational standards. CC ID 08974 | System hardening through configuration management | Preventive | |
| Disable webmin processes unless the webmin process is absolutely necessary. CC ID 01501 | System hardening through configuration management | Preventive | |
| Disable automount daemon unless automount daemon is absolutely necessary. CC ID 01476 | System hardening through configuration management | Preventive | |
| Disable CDE-related daemons unless CDE-related daemons are absolutely necessary. CC ID 01474 | System hardening through configuration management | Preventive | |
| Disable finger unless finger is absolutely necessary. CC ID 01505 | System hardening through configuration management | Preventive | |
| Disable Rexec unless Rexec is absolutely necessary. CC ID 02164 | System hardening through configuration management | Preventive | |
| Disable Squid cache server unless Squid cache server is absolutely necessary. CC ID 01502 | System hardening through configuration management | Preventive | |
| Disable Kudzu hardware detection unless Kudzu hardware detection is absolutely necessary. CC ID 01503 | System hardening through configuration management | Preventive | |
| Install and enable public Instant Messaging clients as necessary. CC ID 02173 | System hardening through configuration management | Preventive | |
| Disable x font server unless x font server is absolutely necessary. CC ID 01499 | System hardening through configuration management | Preventive | |
| Disable NFS client processes unless NFS client processes are absolutely necessary. CC ID 01475 | System hardening through configuration management | Preventive | |
| Disable removable storage media daemon unless the removable storage media daemon is absolutely necessary. CC ID 01477 | System hardening through configuration management | Preventive | |
| Disable GSS daemon unless GSS daemon is absolutely necessary. CC ID 01465 | System hardening through configuration management | Preventive | |
| Disable Computer Browser unless Computer Browser is absolutely necessary. CC ID 01814 | System hardening through configuration management | Preventive | |
| Configure the Computer Browser ResetBrowser Frames as appropriate. CC ID 05984 | System hardening through configuration management | Preventive | |
| Configure the /etc/samba/smb.conf file file permissions as appropriate. CC ID 05989 | System hardening through configuration management | Preventive | |
| Disable NetMeeting remote desktop sharing unless NetMeeting remote desktop sharing is absolutely necessary. CC ID 01821 | System hardening through configuration management | Preventive | |
| Disable web directory browsing on all web-enabled devices. CC ID 01874 | System hardening through configuration management | Preventive | |
| Disable WWW publishing services unless WWW publishing services are absolutely necessary. CC ID 01833 | System hardening through configuration management | Preventive | |
| Install and enable samba, as necessary. CC ID 02175 | System hardening through configuration management | Preventive | |
| Configure the samba hosts allow option with an appropriate set of networks. CC ID 05985 | System hardening through configuration management | Preventive | |
| Configure the samba security option option as appropriate. CC ID 05986 | System hardening through configuration management | Preventive | |
| Configure the samba encrypt passwords option as appropriate. CC ID 05987 | System hardening through configuration management | Preventive | |
| Configure the Samba 'smb passwd file' option with an appropriate password file or no password file. CC ID 05988 | System hardening through configuration management | Preventive | |
| Disable Usenet Internet news package file capabilities unless Usenet Internet news package file capabilities are absolutely necessary. CC ID 02176 | System hardening through configuration management | Preventive | |
| Disable iPlanet Web Server unless iPlanet Web Server is absolutely necessary. CC ID 02172 | System hardening through configuration management | Preventive | |
| Disable volume manager unless volume manager is absolutely necessary. CC ID 01469 | System hardening through configuration management | Preventive | |
| Disable Solaris Management Console unless Solaris Management Console is absolutely necessary. CC ID 01468 | System hardening through configuration management | Preventive | |
| Disable the Graphical User Interface unless it is absolutely necessary. CC ID 01466 | System hardening through configuration management | Preventive | |
| Disable help and support unless help and support is absolutely necessary. CC ID 04280 | System hardening through configuration management | Preventive | |
| Disable speech recognition unless speech recognition is absolutely necessary. CC ID 04491 | System hardening through configuration management | Preventive | |
| Disable or secure the NetWare QuickFinder search engine. CC ID 04453 | System hardening through configuration management | Preventive | |
| Disable messenger unless messenger is absolutely necessary. CC ID 01819 | System hardening through configuration management | Preventive | |
| Configure the "Do not allow Windows Messenger to be run" setting. CC ID 04516 | System hardening through configuration management | Preventive | |
| Configure the "Do not automatically start Windows Messenger initially" setting. CC ID 04517 | System hardening through configuration management | Preventive | |
| Configure the "Turn off the Windows Messenger Customer Experience Improvement Program" setting. CC ID 04330 | System hardening through configuration management | Preventive | |
| Disable automatic updates unless automatic updates are absolutely necessary. CC ID 01811 | System hardening through configuration management | Preventive | |
| Configure automatic update installation and shutdown/restart options and shutdown/restart procedures to organizational standards. CC ID 05979 | System hardening through configuration management | Preventive | |
| Disable Name Service Cache Daemon unless Name Service Cache Daemon is absolutely necessary. CC ID 04846 | System hardening through configuration management | Preventive | |
| Prohibit R-command files from existing for root or administrator. CC ID 16322 | System hardening through configuration management | Preventive | |
| Verify the /bin/rsh file exists or not, as appropriate. CC ID 05101 | System hardening through configuration management | Preventive | |
| Verify the /sbin/rsh file exists or not, as appropriate. CC ID 05102 | System hardening through configuration management | Preventive | |
| Verify the /usr/bin/rsh file exists or not, as appropriate. CC ID 05103 | System hardening through configuration management | Preventive | |
| Verify the /etc/ftpusers file exists or not, as appropriate. CC ID 05104 | System hardening through configuration management | Preventive | |
| Verify the /etc/rsh file exists or not, as appropriate. CC ID 05105 | System hardening through configuration management | Preventive | |
| Install or uninstall the AIDE package, as appropriate. CC ID 05106 | System hardening through configuration management | Preventive | |
| Enable the GNOME automounter (gnome-volume-manager) as necessary. CC ID 05107 | System hardening through configuration management | Preventive | |
| Install or uninstall the setroubleshoot package, as appropriate. CC ID 05108 | System hardening through configuration management | Preventive | |
| Configure Avahi properly. CC ID 05109 | System hardening through configuration management | Preventive | |
| Install or uninstall OpenNTPD, as appropriate. CC ID 05110 | System hardening through configuration management | Preventive | |
| Configure the "httpd" service to organizational standards. CC ID 05111 | System hardening through configuration management | Preventive | |
| Install or uninstall the net-smtp package properly. CC ID 05112 | System hardening through configuration management | Preventive | |
| Configure the apache web service properly. CC ID 05113 | System hardening through configuration management | Preventive | |
| Configure the vlock package properly. CC ID 05114 | System hardening through configuration management | Preventive | |
| Configure the daemon account properly. CC ID 05115 | System hardening through configuration management | Preventive | |
| Configure the bin account properly. CC ID 05116 | System hardening through configuration management | Preventive | |
| Configure the nuucp account properly. CC ID 05117 | System hardening through configuration management | Preventive | |
| Configure the smmsp account properly. CC ID 05118 | System hardening through configuration management | Preventive | |
| Configure the listen account properly. CC ID 05119 | System hardening through configuration management | Preventive | |
| Configure the gdm account properly. CC ID 05120 | System hardening through configuration management | Preventive | |
| Configure the webservd account properly. CC ID 05121 | System hardening through configuration management | Preventive | |
| Configure the nobody account properly. CC ID 05122 | System hardening through configuration management | Preventive | |
| Configure the noaccess account properly. CC ID 05123 | System hardening through configuration management | Preventive | |
| Configure the nobody4 account properly. CC ID 05124 | System hardening through configuration management | Preventive | |
| Configure the sys account properly. CC ID 05125 | System hardening through configuration management | Preventive | |
| Configure the adm account properly. CC ID 05126 | System hardening through configuration management | Preventive | |
| Configure the lp account properly. CC ID 05127 | System hardening through configuration management | Preventive | |
| Configure the uucp account properly. CC ID 05128 | System hardening through configuration management | Preventive | |
| Install or uninstall the tftp-server package, as appropriate. CC ID 05130 | System hardening through configuration management | Preventive | |
| Enable the web console as necessary. CC ID 05131 | System hardening through configuration management | Preventive | |
| Enable rlogin auth by Pluggable Authentication Modules or pam.d properly. CC ID 05132 | System hardening through configuration management | Preventive | |
| Enable rsh auth by Pluggable Authentication Modules properly. CC ID 05133 | System hardening through configuration management | Preventive | |
| Enable the listening sendmail daemon, as appropriate. CC ID 05134 | System hardening through configuration management | Preventive | |
| Configure Squid properly. CC ID 05135 | System hardening through configuration management | Preventive | |
| Configure the "/etc/shells" file to organizational standards. CC ID 08978 | System hardening through configuration management | Preventive | |
| Configure the LDAP package to organizational standards. CC ID 09937 | System hardening through configuration management | Preventive | |
| Configure the "FTP server" package to organizational standards. CC ID 09938 | System hardening through configuration management | Preventive | |
| Configure the "HTTP Proxy Server" package to organizational standards. CC ID 09939 | System hardening through configuration management | Preventive | |
| Configure the "prelink" package to organizational standards. CC ID 11379 | System hardening through configuration management | Preventive | |
| Configure the Network Information Service (NIS) package to organizational standards. CC ID 11380 | System hardening through configuration management | Preventive | |
| Configure the "time" setting to organizational standards. CC ID 11381 | System hardening through configuration management | Preventive | |
| Configure the "biosdevname" package to organizational standards. CC ID 11383 | System hardening through configuration management | Preventive | |
| Configure the "ufw" setting to organizational standards. CC ID 11384 | System hardening through configuration management | Preventive | |
| Configure the "Devices: Allow undock without having to log on" setting. CC ID 01728 | System hardening through configuration management | Preventive | |
| Limit the user roles that are allowed to format and eject removable storage media. CC ID 01729 | System hardening through configuration management | Preventive | |
| Prevent users from installing printer drivers. CC ID 01730 | System hardening through configuration management | Preventive | |
| Minimize the inetd.conf file and set the file to the appropriate permissions. CC ID 01506 | System hardening through configuration management | Preventive | |
| Configure the unsigned driver installation behavior. CC ID 01733 | System hardening through configuration management | Preventive | |
| Configure the unsigned non-driver installation behavior. CC ID 02038 | System hardening through configuration management | Preventive | |
| Remove all demonstration applications on the system. CC ID 01875 | System hardening through configuration management | Preventive | |
| Configure the system to disallow optional Subsystems. CC ID 04265 | System hardening through configuration management | Preventive | |
| Configure the "Remove Security tab" setting. CC ID 04380 | System hardening through configuration management | Preventive | |
| Disable all unnecessary services unless otherwise noted in a policy exception. CC ID 00880 [Enable only necessary services, protocols, daemons, etc., as required for the function of the system. 2.2.2] | System hardening through configuration management | Preventive | |
| Disable rquotad unless rquotad is absolutely necessary. CC ID 01473 | System hardening through configuration management | Preventive | |
| Configure the rquotad service to use a static port or a dynamic portmapper port as appropriate. CC ID 05983 | System hardening through configuration management | Preventive | |
| Disable telnet unless telnet use is absolutely necessary. CC ID 01478 | System hardening through configuration management | Preventive | |
| Disable File Transfer Protocol unless File Transfer Protocol use is absolutely necessary. CC ID 01479 | System hardening through configuration management | Preventive | |
| Configure anonymous FTP to restrict the use of restricted data. CC ID 16314 | System hardening through configuration management | Preventive | |
| Disable anonymous access to File Transfer Protocol. CC ID 06739 | System hardening through configuration management | Preventive | |
| Disable Internet Message Access Protocol unless Internet Message Access Protocol use is absolutely necessary. CC ID 01485 | System hardening through configuration management | Preventive | |
| Disable Post Office Protocol unless its use is absolutely necessary. CC ID 01486 | System hardening through configuration management | Preventive | |
| Disable SQLServer processes unless SQLServer processes use is absolutely necessary. CC ID 01500 | System hardening through configuration management | Preventive | |
| Disable alerter unless alerter use is absolutely necessary. CC ID 01810 | System hardening through configuration management | Preventive | |
| Disable Background Intelligent Transfer Service unless Background Intelligent Transfer Service use is absolutely necessary. CC ID 01812 | System hardening through configuration management | Preventive | |
| Disable ClipBook unless ClipBook use is absolutely necessary. CC ID 01813 | System hardening through configuration management | Preventive | |
| Disable Fax Service unless Fax Service use is absolutely necessary. CC ID 01815 | System hardening through configuration management | Preventive | |
| Disable IIS admin service unless IIS admin service use is absolutely necessary. CC ID 01817 | System hardening through configuration management | Preventive | |
| Disable indexing service unless indexing service use is absolutely necessary. CC ID 01818 | System hardening through configuration management | Preventive | |
| Disable net logon unless net logon use is absolutely necessary. CC ID 01820 | System hardening through configuration management | Preventive | |
| Disable Remote Desktop Help Session Manager unless Remote Desktop Help Session Manager use is absolutely necessary. CC ID 01822 | System hardening through configuration management | Preventive | |
| Disable the "Offer Remote Assistance" setting. CC ID 04325 | System hardening through configuration management | Preventive | |
| Disable the "Solicited Remote Assistance" setting. CC ID 04326 | System hardening through configuration management | Preventive | |
| Disable Remote Registry Service unless Remote Registry Service use is absolutely necessary. CC ID 01823 | System hardening through configuration management | Preventive | |
| Disable Routing and Remote Access unless Routing and Remote Access use is necessary. CC ID 01824 | System hardening through configuration management | Preventive | |
| Disable task scheduler unless task scheduler use is absolutely necessary. CC ID 01829 | System hardening through configuration management | Preventive | |
| Disable Terminal Services unless Terminal Services use is absolutely necessary. CC ID 01831 | System hardening through configuration management | Preventive | |
| Disable Universal Plug and Play device host unless Universal Plug and Play device host use is absolutely necessary. CC ID 01832 | System hardening through configuration management | Preventive | |
| Disable File Service Protocol. CC ID 02167 | System hardening through configuration management | Preventive | |
| Disable the License Logging Service unless unless it is absolutely necessary. CC ID 04282 | System hardening through configuration management | Preventive | |
| Disable Remote Access Auto Connection Manager unless Remote Access Auto Connection Manager use is absolutely necessary. CC ID 04285 | System hardening through configuration management | Preventive | |
| Disable Remote Access Connection Manager unless Remote Access Connection Manager use is absolutely necessary. CC ID 04286 | System hardening through configuration management | Preventive | |
| Disable Remote Administration Service unless remote administration management is absolutely necessary. CC ID 04287 | System hardening through configuration management | Preventive | |
| Disable remote installation unless remote installation is absolutely necessary. CC ID 04288 | System hardening through configuration management | Preventive | |
| Disable Remote Server Manager unless Remote Server Manager is absolutely necessary. CC ID 04289 | System hardening through configuration management | Preventive | |
| Disable Remote Server Monitor unless Remote Server Monitor use is absolutely necessary. CC ID 04290 | System hardening through configuration management | Preventive | |
| Disable Remote Storage Notification unless Remote Storage Notification use is absolutely necessary. CC ID 04291 | System hardening through configuration management | Preventive | |
| Disable Remote Storage Server unless Remote Storage Server use is absolutely necessary. CC ID 04292 | System hardening through configuration management | Preventive | |
| Disable telephony services unless telephony services use is absolutely necessary. CC ID 04293 | System hardening through configuration management | Preventive | |
| Disable Wireless Zero Configuration service unless Wireless Zero Configuration service use is absolutely necessary. CC ID 04294 | System hardening through configuration management | Preventive | |
| Disable SSDP/UPnp unless SSDP/UPnP is absolutely necessary. CC ID 04315 | System hardening through configuration management | Preventive | |
| Configure the "ntpd service" setting to organizational standards. CC ID 04911 | System hardening through configuration management | Preventive | |
| Configure the "echo service" setting to organizational standards. CC ID 04912 | System hardening through configuration management | Preventive | |
| Configure the "echo-dgram service" setting to organizational standards. CC ID 09927 | System hardening through configuration management | Preventive | |
| Configure the "echo-stream service" setting to organizational standards. CC ID 09928 | System hardening through configuration management | Preventive | |
| Configure the "AllowTcpForwarding" to organizational standards. CC ID 15327 | System hardening through configuration management | Preventive | |
| Configure the "tcpmux-server" setting to organizational standards. CC ID 09929 | System hardening through configuration management | Preventive | |
| Configure the "netstat service" setting to organizational standards. CC ID 04913 | System hardening through configuration management | Preventive | |
| Configure the "character generator protocol (chargen)" setting to organizational standards. CC ID 04914 | System hardening through configuration management | Preventive | |
| Configure the "tftpd service" setting to organizational standards. CC ID 04915 | System hardening through configuration management | Preventive | |
| Configure the "walld service" setting to organizational standards. CC ID 04916 | System hardening through configuration management | Preventive | |
| Configure the "rstatd service" setting to organizational standards. CC ID 04917 | System hardening through configuration management | Preventive | |
| Configure the "sprayd service" setting to organizational standards. CC ID 04918 | System hardening through configuration management | Preventive | |
| Configure the "rusersd service" setting to organizational standards. CC ID 04919 | System hardening through configuration management | Preventive | |
| Configure the "inn service" setting to organizational standards. CC ID 04920 | System hardening through configuration management | Preventive | |
| Configure the "font service" setting to organizational standards. CC ID 04921 | System hardening through configuration management | Preventive | |
| Configure the "ident service" setting to organizational standards. CC ID 04922 | System hardening through configuration management | Preventive | |
| Configure the "rexd service" setting to organizational standards. CC ID 04923 | System hardening through configuration management | Preventive | |
| Configure the "daytime service" setting to organizational standards. CC ID 04924 | System hardening through configuration management | Preventive | |
| Configure the "dtspc (cde-spc) service" setting to organizational standards. CC ID 04925 | System hardening through configuration management | Preventive | |
| Configure the "cmsd service" setting to organizational standards. CC ID 04926 | System hardening through configuration management | Preventive | |
| Configure the "ToolTalk service" setting to organizational standards. CC ID 04927 | System hardening through configuration management | Preventive | |
| Configure the "discard service" setting to organizational standards. CC ID 04928 | System hardening through configuration management | Preventive | |
| Configure the "vino-server service" setting to organizational standards. CC ID 04929 | System hardening through configuration management | Preventive | |
| Configure the "bind service" setting to organizational standards. CC ID 04930 | System hardening through configuration management | Preventive | |
| Configure the "nfsd service" setting to organizational standards. CC ID 04931 | System hardening through configuration management | Preventive | |
| Configure the "mountd service" setting to organizational standards. CC ID 04932 | System hardening through configuration management | Preventive | |
| Configure the "statd service" setting to organizational standards. CC ID 04933 | System hardening through configuration management | Preventive | |
| Configure the "lockd service" setting to organizational standards. CC ID 04934 | System hardening through configuration management | Preventive | |
| Configure the lockd service to use a static port or a dynamic portmapper port for User Datagram Protocol as appropriate. CC ID 05980 | System hardening through configuration management | Preventive | |
| Configure the "decode sendmail alias" setting to organizational standards. CC ID 04935 | System hardening through configuration management | Preventive | |
| Configure the sendmail vrfy command, as appropriate. CC ID 04936 | System hardening through configuration management | Preventive | |
| Configure the sendmail expn command, as appropriate. CC ID 04937 | System hardening through configuration management | Preventive | |
| Configure .netrc with an appropriate set of services. CC ID 04938 | System hardening through configuration management | Preventive | |
| Enable NFS insecure locks as necessary. CC ID 04939 | System hardening through configuration management | Preventive | |
| Configure the "X server ac" setting to organizational standards. CC ID 04940 | System hardening through configuration management | Preventive | |
| Configure the "X server core" setting to organizational standards. CC ID 04941 | System hardening through configuration management | Preventive | |
| Enable or disable the setroubleshoot service, as appropriate. CC ID 05540 | System hardening through configuration management | Preventive | |
| Configure the "X server nolock" setting to organizational standards. CC ID 04942 | System hardening through configuration management | Preventive | |
| Enable or disable the mcstrans service, as appropriate. CC ID 05541 | System hardening through configuration management | Preventive | |
| Configure the "PAM console" setting to organizational standards. CC ID 04943 | System hardening through configuration management | Preventive | |
| Enable or disable the restorecond service, as appropriate. CC ID 05542 | System hardening through configuration management | Preventive | |
| Enable the rhnsd service as necessary. CC ID 04944 | System hardening through configuration management | Preventive | |
| Enable the yum-updatesd service as necessary. CC ID 04945 | System hardening through configuration management | Preventive | |
| Enable the autofs service as necessary. CC ID 04946 | System hardening through configuration management | Preventive | |
| Enable the ip6tables service as necessary. CC ID 04947 | System hardening through configuration management | Preventive | |
| Configure syslog to organizational standards. CC ID 04949 | System hardening through configuration management | Preventive | |
| Enable the auditd service as necessary. CC ID 04950 | System hardening through configuration management | Preventive | |
| Enable the logwatch service as necessary. CC ID 04951 | System hardening through configuration management | Preventive | |
| Enable the logrotate (syslog rotator) service as necessary. CC ID 04952 | System hardening through configuration management | Preventive | |
| Install or uninstall the telnet server package, only if absolutely necessary. CC ID 04953 | System hardening through configuration management | Preventive | |
| Enable the ypbind service as necessary. CC ID 04954 | System hardening through configuration management | Preventive | |
| Enable the ypserv service as necessary. CC ID 04955 | System hardening through configuration management | Preventive | |
| Enable the firstboot service as necessary. CC ID 04956 | System hardening through configuration management | Preventive | |
| Enable the gpm service as necessary. CC ID 04957 | System hardening through configuration management | Preventive | |
| Enable the irqbalance service as necessary. CC ID 04958 | System hardening through configuration management | Preventive | |
| Enable the isdn service as necessary. CC ID 04959 | System hardening through configuration management | Preventive | |
| Enable the kdump service as necessary. CC ID 04960 | System hardening through configuration management | Preventive | |
| Enable the mdmonitor service as necessary. CC ID 04961 | System hardening through configuration management | Preventive | |
| Enable the microcode_ctl service as necessary. CC ID 04962 | System hardening through configuration management | Preventive | |
| Enable the pcscd service as necessary. CC ID 04963 | System hardening through configuration management | Preventive | |
| Enable the smartd service as necessary. CC ID 04964 | System hardening through configuration management | Preventive | |
| Enable the readahead_early service as necessary. CC ID 04965 | System hardening through configuration management | Preventive | |
| Enable the readahead_later service as necessary. CC ID 04966 | System hardening through configuration management | Preventive | |
| Enable the messagebus service as necessary. CC ID 04967 | System hardening through configuration management | Preventive | |
| Enable the haldaemon service as necessary. CC ID 04968 | System hardening through configuration management | Preventive | |
| Enable the apmd service as necessary. CC ID 04969 | System hardening through configuration management | Preventive | |
| Enable the acpid service as necessary. CC ID 04970 | System hardening through configuration management | Preventive | |
| Enable the cpuspeed service as necessary. CC ID 04971 | System hardening through configuration management | Preventive | |
| Enable the network service as necessary. CC ID 04972 | System hardening through configuration management | Preventive | |
| Enable the hidd service as necessary. CC ID 04973 | System hardening through configuration management | Preventive | |
| Enable the crond service as necessary. CC ID 04974 | System hardening through configuration management | Preventive | |
| Install and enable the anacron service as necessary. CC ID 04975 | System hardening through configuration management | Preventive | |
| Enable the xfs service as necessary. CC ID 04976 | System hardening through configuration management | Preventive | |
| Install and enable the Avahi daemon service, as necessary. CC ID 04977 | System hardening through configuration management | Preventive | |
| Enable the CUPS service, as necessary. CC ID 04978 | System hardening through configuration management | Preventive | |
| Enable the hplip service as necessary. CC ID 04979 | System hardening through configuration management | Preventive | |
| Enable the dhcpd service as necessary. CC ID 04980 | System hardening through configuration management | Preventive | |
| Enable the nfslock service as necessary. CC ID 04981 | System hardening through configuration management | Preventive | |
| Enable the rpcgssd service as necessary. CC ID 04982 | System hardening through configuration management | Preventive | |
| Enable the rpcidmapd service as necessary. CC ID 04983 | System hardening through configuration management | Preventive | |
| Enable the rpcsvcgssd service as necessary. CC ID 04985 | System hardening through configuration management | Preventive | |
| Configure root squashing for all NFS shares, as appropriate. CC ID 04986 | System hardening through configuration management | Preventive | |
| Configure write access to NFS shares, as appropriate. CC ID 04987 | System hardening through configuration management | Preventive | |
| Configure the named service, as appropriate. CC ID 04988 | System hardening through configuration management | Preventive | |
| Configure the vsftpd service, as appropriate. CC ID 04989 | System hardening through configuration management | Preventive | |
| Configure the “dovecot” service to organizational standards. CC ID 04990 | System hardening through configuration management | Preventive | |
| Configure Server Message Block (SMB) to organizational standards. CC ID 04991 | System hardening through configuration management | Preventive | |
| Enable the snmpd service as necessary. CC ID 04992 | System hardening through configuration management | Preventive | |
| Enable the calendar manager as necessary. CC ID 04993 | System hardening through configuration management | Preventive | |
| Enable the GNOME logon service as necessary. CC ID 04994 | System hardening through configuration management | Preventive | |
| Enable the WBEM services as necessary. CC ID 04995 | System hardening through configuration management | Preventive | |
| Enable the keyserv service as necessary. CC ID 04996 | System hardening through configuration management | Preventive | |
| Enable the Generic Security Service daemon as necessary. CC ID 04997 | System hardening through configuration management | Preventive | |
| Enable the volfs service as necessary. CC ID 04998 | System hardening through configuration management | Preventive | |
| Enable the smserver service as necessary. CC ID 04999 | System hardening through configuration management | Preventive | |
| Enable the mpxio-upgrade service as necessary. CC ID 05000 | System hardening through configuration management | Preventive | |
| Enable the metainit service as necessary. CC ID 05001 | System hardening through configuration management | Preventive | |
| Enable the meta service as necessary. CC ID 05003 | System hardening through configuration management | Preventive | |
| Enable the metaed service as necessary. CC ID 05004 | System hardening through configuration management | Preventive | |
| Enable the metamh service as necessary. CC ID 05005 | System hardening through configuration management | Preventive | |
| Enable the Local RPC Port Mapping Service as necessary. CC ID 05006 | System hardening through configuration management | Preventive | |
| Enable the Kerberos kadmind service as necessary. CC ID 05007 | System hardening through configuration management | Preventive | |
| Enable the Kerberos krb5kdc service as necessary. CC ID 05008 | System hardening through configuration management | Preventive | |
| Enable the Kerberos kpropd service as necessary. CC ID 05009 | System hardening through configuration management | Preventive | |
| Enable the Kerberos ktkt_warnd service as necessary. CC ID 05010 | System hardening through configuration management | Preventive | |
| Enable the sadmin service as necessary. CC ID 05011 | System hardening through configuration management | Preventive | |
| Enable the IPP listener as necessary. CC ID 05012 | System hardening through configuration management | Preventive | |
| Enable the serial port listener as necessary. CC ID 05013 | System hardening through configuration management | Preventive | |
| Enable the Smart Card Helper service as necessary. CC ID 05014 | System hardening through configuration management | Preventive | |
| Enable the Application Management service as necessary. CC ID 05015 | System hardening through configuration management | Preventive | |
| Enable the Resultant Set of Policy (RSoP) Provider service as necessary. CC ID 05016 | System hardening through configuration management | Preventive | |
| Enable the Network News Transport Protocol service as necessary. CC ID 05017 | System hardening through configuration management | Preventive | |
| Enable the network Dynamic Data Exchange service as necessary. CC ID 05018 | System hardening through configuration management | Preventive | |
| Enable the Distributed Link Tracking Server service as necessary. CC ID 05019 | System hardening through configuration management | Preventive | |
| Enable the RARP service as necessary. CC ID 05020 | System hardening through configuration management | Preventive | |
| Configure the ".NET Framework service" setting to organizational standards. CC ID 05021 | System hardening through configuration management | Preventive | |
| Enable the Network DDE Share Database Manager service as necessary. CC ID 05022 | System hardening through configuration management | Preventive | |
| Enable the Certificate Services service as necessary. CC ID 05023 | System hardening through configuration management | Preventive | |
| Configure the ATI hotkey poller service properly. CC ID 05024 | System hardening through configuration management | Preventive | |
| Configure the Interix Subsystem Startup service properly. CC ID 05025 | System hardening through configuration management | Preventive | |
| Configure the Cluster Service service properly. CC ID 05026 | System hardening through configuration management | Preventive | |
| Configure the IAS Jet Database Access service properly. CC ID 05027 | System hardening through configuration management | Preventive | |
| Configure the IAS service properly. CC ID 05028 | System hardening through configuration management | Preventive | |
| Configure the IP Version 6 Helper service properly. CC ID 05029 | System hardening through configuration management | Preventive | |
| Configure "Message Queuing service" to organizational standards. CC ID 05030 | System hardening through configuration management | Preventive | |
| Configure the Message Queuing Down Level Clients service properly. CC ID 05031 | System hardening through configuration management | Preventive | |
| Configure the Windows Management Instrumentation Driver Extensions service properly. CC ID 05033 | System hardening through configuration management | Preventive | |
| Configure the TCP/IP NetBIOS Helper Service properly. CC ID 05034 | System hardening through configuration management | Preventive | |
| Configure the Utility Manager service properly. CC ID 05035 | System hardening through configuration management | Preventive | |
| Configure the secondary logon service properly. CC ID 05036 | System hardening through configuration management | Preventive | |
| Configure the Windows Management Instrumentation service properly. CC ID 05037 | System hardening through configuration management | Preventive | |
| Configure the Workstation service properly. CC ID 05038 | System hardening through configuration management | Preventive | |
| Configure the Windows Installer service properly. CC ID 05039 | System hardening through configuration management | Preventive | |
| Configure the Windows System Resource Manager service properly. CC ID 05040 | System hardening through configuration management | Preventive | |
| Configure the WinHTTP Web Proxy Auto-Discovery Service properly. CC ID 05041 | System hardening through configuration management | Preventive | |
| Configure the Services for Unix Client for NFS service properly. CC ID 05042 | System hardening through configuration management | Preventive | |
| Configure the Services for Unix Server for PCNFS service properly. CC ID 05043 | System hardening through configuration management | Preventive | |
| Configure the Services for Unix Perl Socket service properly. CC ID 05044 | System hardening through configuration management | Preventive | |
| Configure the Services for Unix User Name Mapping service properly. CC ID 05045 | System hardening through configuration management | Preventive | |
| Configure the Services for Unix Windows Cron service properly. CC ID 05046 | System hardening through configuration management | Preventive | |
| Configure the Windows Media Services service properly. CC ID 05047 | System hardening through configuration management | Preventive | |
| Configure the Services for Netware Service Advertising Protocol (SAP) Agent properly. CC ID 05048 | System hardening through configuration management | Preventive | |
| Configure the Web Element Manager service properly. CC ID 05049 | System hardening through configuration management | Preventive | |
| Configure the Remote Installation Services Single Instance Storage (SIS) Groveler service properly. CC ID 05050 | System hardening through configuration management | Preventive | |
| Configure the Terminal Services Licensing service properly. CC ID 05051 | System hardening through configuration management | Preventive | |
| Configure the COM+ Event System service properly. CC ID 05052 | System hardening through configuration management | Preventive | |
| Configure the Event Log service properly. CC ID 05053 | System hardening through configuration management | Preventive | |
| Configure the Infrared Monitor service properly. CC ID 05054 | System hardening through configuration management | Preventive | |
| Configure the Services for Unix Server for NFS service properly. CC ID 05055 | System hardening through configuration management | Preventive | |
| Configure the System Event Notification Service properly. CC ID 05056 | System hardening through configuration management | Preventive | |
| Configure the NTLM Security Support Provider service properly. CC ID 05057 | System hardening through configuration management | Preventive | |
| Configure the Performance Logs and Alerts service properly. CC ID 05058 | System hardening through configuration management | Preventive | |
| Configure the Protected Storage service properly. CC ID 05059 | System hardening through configuration management | Preventive | |
| Configure the QoS Admission Control (RSVP) service properly. CC ID 05060 | System hardening through configuration management | Preventive | |
| Configure the Remote Procedure Call service properly. CC ID 05061 | System hardening through configuration management | Preventive | |
| Configure the Removable Storage service properly. CC ID 05062 | System hardening through configuration management | Preventive | |
| Configure the Server service properly. CC ID 05063 | System hardening through configuration management | Preventive | |
| Configure the Security Accounts Manager service properly. CC ID 05064 | System hardening through configuration management | Preventive | |
| Configure the “Network Connections” service to organizational standards. CC ID 05065 | System hardening through configuration management | Preventive | |
| Configure the Logical Disk Manager service properly. CC ID 05066 | System hardening through configuration management | Preventive | |
| Configure the Logical Disk Manager Administrative Service properly. CC ID 05067 | System hardening through configuration management | Preventive | |
| Configure the File Replication service properly. CC ID 05068 | System hardening through configuration management | Preventive | |
| Configure the Kerberos Key Distribution Center service properly. CC ID 05069 | System hardening through configuration management | Preventive | |
| Configure the Intersite Messaging service properly. CC ID 05070 | System hardening through configuration management | Preventive | |
| Configure the Remote Procedure Call locator service properly. CC ID 05071 | System hardening through configuration management | Preventive | |
| Configure the Distributed File System service properly. CC ID 05072 | System hardening through configuration management | Preventive | |
| Configure the Windows Internet Name Service service properly. CC ID 05073 | System hardening through configuration management | Preventive | |
| Configure the FTP Publishing Service properly. CC ID 05074 | System hardening through configuration management | Preventive | |
| Configure the Windows Search service properly. CC ID 05075 | System hardening through configuration management | Preventive | |
| Configure the Microsoft Peer-to-Peer Networking Services service properly. CC ID 05076 | System hardening through configuration management | Preventive | |
| Configure the Remote Shell service properly. CC ID 05077 | System hardening through configuration management | Preventive | |
| Configure Simple TCP/IP services to organizational standards. CC ID 05078 | System hardening through configuration management | Preventive | |
| Configure the Print Services for Unix service properly. CC ID 05079 | System hardening through configuration management | Preventive | |
| Configure the File Shares service to organizational standards. CC ID 05080 | System hardening through configuration management | Preventive | |
| Configure the NetMeeting service properly. CC ID 05081 | System hardening through configuration management | Preventive | |
| Configure the Application Layer Gateway service properly. CC ID 05082 | System hardening through configuration management | Preventive | |
| Configure the Cryptographic Services service properly. CC ID 05083 | System hardening through configuration management | Preventive | |
| Configure the Help and Support Service properly. CC ID 05084 | System hardening through configuration management | Preventive | |
| Configure the Human Interface Device Access service properly. CC ID 05085 | System hardening through configuration management | Preventive | |
| Configure the IMAPI CD-Burning COM service properly. CC ID 05086 | System hardening through configuration management | Preventive | |
| Configure the MS Software Shadow Copy Provider service properly. CC ID 05087 | System hardening through configuration management | Preventive | |
| Configure the Network Location Awareness service properly. CC ID 05088 | System hardening through configuration management | Preventive | |
| Configure the Portable Media Serial Number Service service properly. CC ID 05089 | System hardening through configuration management | Preventive | |
| Configure the System Restore Service service properly. CC ID 05090 | System hardening through configuration management | Preventive | |
| Configure the Themes service properly. CC ID 05091 | System hardening through configuration management | Preventive | |
| Configure the Uninterruptible Power Supply service properly. CC ID 05092 | System hardening through configuration management | Preventive | |
| Configure the Upload Manager service properly. CC ID 05093 | System hardening through configuration management | Preventive | |
| Configure the Volume Shadow Copy Service properly. CC ID 05094 | System hardening through configuration management | Preventive | |
| Configure the WebClient service properly. CC ID 05095 | System hardening through configuration management | Preventive | |
| Configure the Windows Audio service properly. CC ID 05096 | System hardening through configuration management | Preventive | |
| Configure the Windows Image Acquisition service properly. CC ID 05097 | System hardening through configuration management | Preventive | |
| Configure the WMI Performance Adapter service properly. CC ID 05098 | System hardening through configuration management | Preventive | |
| Enable file uploads via vsftpd service, as appropriate. CC ID 05100 | System hardening through configuration management | Preventive | |
| Disable or remove sadmind unless use of sadmind is absolutely necessary. CC ID 06885 | System hardening through configuration management | Preventive | |
| Configure the "SNMP version 1" setting to organizational standards. CC ID 08976 | System hardening through configuration management | Preventive | |
| Configure the "xdmcp service" setting to organizational standards. CC ID 08985 | System hardening through configuration management | Preventive | |
| Disable the automatic display of remote images in HTML-formatted e-mail. CC ID 04494 | System hardening through configuration management | Preventive | |
| Disable Remote Apply Events unless Remote Apply Events are absolutely necessary. CC ID 04495 | System hardening through configuration management | Preventive | |
| Disable Xgrid unless Xgrid is absolutely necessary. CC ID 04496 | System hardening through configuration management | Preventive | |
| Configure the "Do Not Show First Use Dialog Boxes" setting for Windows Media Player properly. CC ID 05136 | System hardening through configuration management | Preventive | |
| Disable Core dumps unless absolutely necessary. CC ID 01507 | System hardening through configuration management | Preventive | |
| Set hard core dump size limits, as appropriate. CC ID 05990 | System hardening through configuration management | Preventive | |
| Configure the "Prevent Desktop Shortcut Creation" setting for Windows Media Player properly. CC ID 05137 | System hardening through configuration management | Preventive | |
| Set the Squid EUID and Squid GUID to an appropriate user and group. CC ID 05138 | System hardening through configuration management | Preventive | |
| Verify groups referenced in /etc/passwd are included in /etc/group, as appropriate. CC ID 05139 | System hardening through configuration management | Preventive | |
| Use of the cron.allow file should be enabled or disabled as appropriate. CC ID 06014 | System hardening through configuration management | Preventive | |
| Use of the at.allow file should be enabled or disabled as appropriate. CC ID 06015 | System hardening through configuration management | Preventive | |
| Enable or disable the Dynamic DNS feature of the DHCP Server as appropriate. CC ID 06039 | System hardening through configuration management | Preventive | |
| Enable or disable each user's Screen saver software, as necessary. CC ID 06050 | System hardening through configuration management | Preventive | |
| Disable any unnecessary scripting languages, as necessary. CC ID 12137 | System hardening through configuration management | Preventive | |
| Configure authenticators to comply with organizational standards. CC ID 06412 | System hardening through configuration management | Preventive | |
| Configure the system to require new users to change their authenticator on first use. CC ID 05268 [{passphrase} Set passwords/phrases for first-time use and upon reset to a unique value for each user, and change immediately after the first use. 8.2.6] | System hardening through configuration management | Preventive | |
| Configure authenticators so that group authenticators or shared authenticators are prohibited. CC ID 00519 [Do not use group, shared, or generic IDs, passwords, or other authentication methods as follows: - Generic user IDs are disabled or removed. - Shared user IDs do not exist for system administration and other critical functions. - Shared and generic user IDs are not used to administer any system components. 8.5 Do not use group, shared, or generic IDs, passwords, or other authentication methods as follows: - Generic user IDs are disabled or removed. - Shared user IDs do not exist for system administration and other critical functions. - Shared and generic user IDs are not used to administer any system components. 8.5] | System hardening through configuration management | Preventive | |
| Change all default authenticators. CC ID 15309 [Do not use vendor-supplied defaults for system passwords and other security parameters. Requirement 2 For wireless environments connected to the cardholder data environment or transmitting cardholder data, change ALL wireless vendor defaults at installation, including but not limited to default wireless encryption keys, passwords, and SNMP community strings. 2.1.1] | System hardening through configuration management | Preventive | |
| Configure the system security parameters to prevent system misuse or information misappropriation. CC ID 00881 [Configure system security parameters to prevent misuse. 2.2.4] | System hardening through configuration management | Preventive | |
| Configure Hypertext Transfer Protocol headers in accordance with organizational standards. CC ID 16851 | System hardening through configuration management | Preventive | |
| Configure Hypertext Transfer Protocol security headers in accordance with organizational standards. CC ID 16488 | System hardening through configuration management | Preventive | |
| Configure "Enable Structured Exception Handling Overwrite Protection (SEHOP)" to organizational standards. CC ID 15385 | System hardening through configuration management | Preventive | |
| Configure Microsoft Attack Surface Reduction rules in accordance with organizational standards. CC ID 16478 | System hardening through configuration management | Preventive | |
| Configure "Remote host allows delegation of non-exportable credentials" to organizational standards. CC ID 15379 | System hardening through configuration management | Preventive | |
| Configure "Configure enhanced anti-spoofing" to organizational standards. CC ID 15376 | System hardening through configuration management | Preventive | |
| Configure "Block user from showing account details on sign-in" to organizational standards. CC ID 15374 | System hardening through configuration management | Preventive | |
| Configure "Configure Attack Surface Reduction rules" to organizational standards. CC ID 15370 | System hardening through configuration management | Preventive | |
| Configure "Turn on e-mail scanning" to organizational standards. CC ID 15361 | System hardening through configuration management | Preventive | |
| Configure "Prevent users and apps from accessing dangerous websites" to organizational standards. CC ID 15359 | System hardening through configuration management | Preventive | |
| Configure "Enumeration policy for external devices incompatible with Kernel DMA Protection" to organizational standards. CC ID 15352 | System hardening through configuration management | Preventive | |
| Configure "Prevent Internet Explorer security prompt for Windows Installer scripts" to organizational standards. CC ID 15351 | System hardening through configuration management | Preventive | |
| Store state information from applications and software separately. CC ID 14767 | System hardening through configuration management | Preventive | |
| Configure the "aufs storage" to organizational standards. CC ID 14461 | System hardening through configuration management | Preventive | |
| Configure the "AppArmor Profile" to organizational standards. CC ID 14496 | System hardening through configuration management | Preventive | |
| Configure the "device" argument to organizational standards. CC ID 14536 | System hardening through configuration management | Preventive | |
| Configure the "Docker" group ownership to organizational standards. CC ID 14495 | System hardening through configuration management | Preventive | |
| Configure the "Docker" user ownership to organizational standards. CC ID 14505 | System hardening through configuration management | Preventive | |
| Configure "Allow upload of User Activities" to organizational standards. CC ID 15338 | System hardening through configuration management | Preventive | |
| Configure the system to restrict Core dumps to a protected directory. CC ID 01513 | System hardening through configuration management | Preventive | |
| Configure the system to enable Stack protection. CC ID 01514 | System hardening through configuration management | Preventive | |
| Configure the system to restrict NFS client requests to privileged ports. CC ID 01515 | System hardening through configuration management | Preventive | |
| Configure the system to use better TCP Sequence Numbers. CC ID 01516 | System hardening through configuration management | Preventive | |
| Configure the system to a default secure level. CC ID 01519 | System hardening through configuration management | Preventive | |
| Configure the system to block users from viewing un-owned processes. CC ID 01520 | System hardening through configuration management | Preventive | |
| Configure the system to block users from viewing processes in other groups. CC ID 01521 | System hardening through configuration management | Preventive | |
| Add the "nosuid" option to /etc/rmmount.conf. CC ID 01532 | System hardening through configuration management | Preventive | |
| Configure the system to block non-privileged mountd requests. CC ID 01533 | System hardening through configuration management | Preventive | |
| Use host-based or Internet Protocol-based export lists for mountd. CC ID 06887 | System hardening through configuration management | Preventive | |
| Add the "nodev" option to the appropriate partitions in /etc/fstab. CC ID 01534 | System hardening through configuration management | Preventive | |
| Add the "nosuid" option and "nodev" option for removable storage media in the /etc/fstab file. CC ID 01535 | System hardening through configuration management | Preventive | |
| Configure the sticky bit on world-writable directories. CC ID 01540 | System hardening through configuration management | Preventive | |
| Run hp_checkperms. CC ID 01548 | System hardening through configuration management | Preventive | |
| Run fix-modes. CC ID 01549 | System hardening through configuration management | Preventive | |
| Convert the system to "Trusted Mode", if possible. CC ID 01550 | System hardening through configuration management | Preventive | |
| Configure the sadmind service to a higher Security level. CC ID 01551 | System hardening through configuration management | Preventive | |
| Use host-based or Internet Protocol-based export lists for sadmind. CC ID 06886 | System hardening through configuration management | Preventive | |
| Configure all.rhosts files to be readable only by their owners. CC ID 01557 | System hardening through configuration management | Preventive | |
| Set the symlink /etc/hosts.equiv file to /dev/null. CC ID 01558 | System hardening through configuration management | Preventive | |
| Configure the default locking Screen saver timeout to a predetermined time period. CC ID 01570 | System hardening through configuration management | Preventive | |
| Configure the Security Center (Domain PCs only). CC ID 01967 | System hardening through configuration management | Preventive | |
| Configure the system to immediately protect the computer after the Screen saver is activated by setting the time before the Screen saver grace period expires to a predefined amount. CC ID 04276 | System hardening through configuration management | Preventive | |
| Configure the system to require a password before it unlocks the Screen saver software. CC ID 04443 | System hardening through configuration management | Preventive | |
| Enable the safe DLL search mode. CC ID 04273 | System hardening through configuration management | Preventive | |
| Configure the computer to stop generating 8.3 filename formats. CC ID 04274 | System hardening through configuration management | Preventive | |
| Configure the system to use certificate rules for software restriction policies. CC ID 04266 | System hardening through configuration management | Preventive | |
| Configure the "Do not allow drive redirection" setting. CC ID 04316 | System hardening through configuration management | Preventive | |
| Configure the "Turn off the 'Publish to Web' task for files and folders" setting. CC ID 04328 | System hardening through configuration management | Preventive | |
| Configure the "Turn off Internet download for Web publishing and online ordering wizards" setting. CC ID 04329 | System hardening through configuration management | Preventive | |
| Configure the "Turn off Search Companion content file updates" setting. CC ID 04331 | System hardening through configuration management | Preventive | |
| Configure the "Turn off printing over HTTP" setting. CC ID 04332 | System hardening through configuration management | Preventive | |
| Configure the "Turn off downloading of print drivers over HTTP" setting. CC ID 04333 | System hardening through configuration management | Preventive | |
| Configure the "Turn off Windows Update device driver searching" setting. CC ID 04334 | System hardening through configuration management | Preventive | |
| Configure the "Display Error Notification" setting to organizational standards. CC ID 04335 | System hardening through configuration management | Preventive | |
| Configure the "Turn off Windows error reporting" setting to organizational standards. CC ID 04336 | System hardening through configuration management | Preventive | |
| Configure the "Disable software update shell notifications on program launch" setting. CC ID 04339 | System hardening through configuration management | Preventive | |
| Configure the "Make proxy settings per-machine (rather than per-user)" setting. CC ID 04341 | System hardening through configuration management | Preventive | |
| Configure the "Security Zones: Do not allow users to add/delete sites" setting. CC ID 04342 | System hardening through configuration management | Preventive | |
| Configure the "Security Zones: Do not allow users to change policies" setting. CC ID 04343 | System hardening through configuration management | Preventive | |
| Configure the "Security Zones: Use only machine settings" setting. CC ID 04344 | System hardening through configuration management | Preventive | |
| Configure the "Allow software to run or install even if the signature is invalid" setting. CC ID 04346 | System hardening through configuration management | Preventive | |
| Configure the "internet explorer processes (scripted window security restrictions)" setting. CC ID 04350 | System hardening through configuration management | Preventive | |
| Configure the "internet explorer processes (zone elevation protection)" setting. CC ID 04351 | System hardening through configuration management | Preventive | |
| Configure the "Prevent access to registry editing tools" setting. CC ID 04355 | System hardening through configuration management | Preventive | |
| Configure the "Do not preserve zone information in file attachments" setting. CC ID 04357 | System hardening through configuration management | Preventive | |
| Configure the "Hide mechanisms to remove zone information" setting. CC ID 04358 | System hardening through configuration management | Preventive | |
| Configure the "Notify antivirus programs when opening attachments" setting. CC ID 04359 | System hardening through configuration management | Preventive | |
| Configure the "Configure Outlook Express" setting. CC ID 04360 | System hardening through configuration management | Preventive | |
| Configure the "Disable Changing Automatic Configuration settings" setting. CC ID 04361 | System hardening through configuration management | Preventive | |
| Configure the "Disable changing certificate settings" setting. CC ID 04362 | System hardening through configuration management | Preventive | |
| Configure the "Disable changing connection settings" setting. CC ID 04363 | System hardening through configuration management | Preventive | |
| Configure the "Disable changing proxy settings" setting. CC ID 04364 | System hardening through configuration management | Preventive | |
| Configure the "Turn on the auto-complete feature for user names and passwords on forms" setting. CC ID 04365 | System hardening through configuration management | Preventive | |
| Configure the NetWare bindery contexts. CC ID 04444 | System hardening through configuration management | Preventive | |
| Configure the NetWare console's SECURE.NCF settings. CC ID 04445 | System hardening through configuration management | Preventive | |
| Configure the CPU Hog Timeout setting. CC ID 04446 | System hardening through configuration management | Preventive | |
| Configure the "Check Equivalent to Me" setting. CC ID 04463 | System hardening through configuration management | Preventive | |
| Configure the /etc/sshd_config file. CC ID 04475 | System hardening through configuration management | Preventive | |
| Configure the .Mac preferences. CC ID 04484 | System hardening through configuration management | Preventive | |
| Configure the Fast User Switching setting. CC ID 04485 | System hardening through configuration management | Preventive | |
| Configure the Recent Items List (servers, applications, documents) setting. CC ID 04486 | System hardening through configuration management | Preventive | |
| Configure Apple's Dock preferences. CC ID 04487 | System hardening through configuration management | Preventive | |
| Configure the "ulimit" to organizational standards. CC ID 14499 | System hardening through configuration management | Preventive | |
| Configure the Energy Saver preferences. CC ID 04488 | System hardening through configuration management | Preventive | |
| Configure the local system search preferences to directories that do not contain restricted data or restricted information. CC ID 04492 | System hardening through configuration management | Preventive | |
| Configure the computer-wide, rather than per-user, use of Microsoft Spynet Reporting for Windows Defender properly. CC ID 05282 | System hardening through configuration management | Preventive | |
| Enable or disable the ability of users to perform interactive startups, as appropriate. CC ID 05283 | System hardening through configuration management | Preventive | |
| Set the /etc/passwd file's NIS file inclusions properly. CC ID 05284 | System hardening through configuration management | Preventive | |
| Configure the "Turn off Help Ratings" setting. CC ID 05285 | System hardening through configuration management | Preventive | |
| Configure the "Decoy Admin Account Not Disabled" policy properly. CC ID 05286 | System hardening through configuration management | Preventive | |
| Configure the "Additional restrictions for anonymous connections" policy properly. CC ID 05287 | System hardening through configuration management | Preventive | |
| Configure the "Anonymous access to the registry" policy properly. CC ID 05288 | System hardening through configuration management | Preventive | |
| Configure the File System Checker and Popups setting. CC ID 05289 | System hardening through configuration management | Preventive | |
| Configure the System File Checker setting. CC ID 05290 | System hardening through configuration management | Preventive | |
| Configure the System File Checker Progress Meter setting. CC ID 05291 | System hardening through configuration management | Preventive | |
| Configure the Protect Kernel object attributes properly. CC ID 05292 | System hardening through configuration management | Preventive | |
| Configure the "Deleted Cached Copies of Roaming Profiles" policy properly. CC ID 05293 | System hardening through configuration management | Preventive | |
| Verify that the X*.hosts file lists all authorized X-clients. CC ID 05294 | System hardening through configuration management | Preventive | |
| Verify all files are owned by an existing account and group. CC ID 05295 | System hardening through configuration management | Preventive | |
| Verify programs executed through the aliases file are owned by an appropriate user or group. CC ID 05296 | System hardening through configuration management | Preventive | |
| Verify programs executed through the aliases file are stored in a directory with an appropriate owner. CC ID 05297 | System hardening through configuration management | Preventive | |
| Verify the at directory is owned by an appropriate user or group. CC ID 05298 | System hardening through configuration management | Preventive | |
| Verify the at.allow file is owned by an appropriate user or group. CC ID 05299 | System hardening through configuration management | Preventive | |
| Verify the at.deny file is owned by an appropriate user or group. CC ID 05300 | System hardening through configuration management | Preventive | |
| Verify the crontab directories are owned by an appropriate user or group. CC ID 05302 | System hardening through configuration management | Preventive | |
| Verify the cron.allow file is owned by an appropriate user or group. CC ID 05303 | System hardening through configuration management | Preventive | |
| Verify the cron.deny file is owned by an appropriate user or group. CC ID 05304 | System hardening through configuration management | Preventive | |
| Verify crontab files are owned by an appropriate user or group. CC ID 05305 | System hardening through configuration management | Preventive | |
| Verify the /etc/resolv.conf file is owned by an appropriate user or group. CC ID 05306 | System hardening through configuration management | Preventive | |
| Verify the /etc/named.boot file is owned by an appropriate user or group. CC ID 05307 | System hardening through configuration management | Preventive | |
| Verify the /etc/named.conf file is owned by an appropriate user or group. CC ID 05308 | System hardening through configuration management | Preventive | |
| Verify the /var/named/chroot/etc/named.conf file is owned by an appropriate user or group. CC ID 05309 | System hardening through configuration management | Preventive | |
| Verify home directories are owned by an appropriate user or group. CC ID 05310 | System hardening through configuration management | Preventive | |
| Verify the inetd.conf file is owned by an appropriate user or group. CC ID 05311 | System hardening through configuration management | Preventive | |
| Verify /etc/exports are owned by an appropriate user or group. CC ID 05312 | System hardening through configuration management | Preventive | |
| Verify exported files and exported directories are owned by an appropriate user or group. CC ID 05313 | System hardening through configuration management | Preventive | |
| Verify the /etc/services file is owned by an appropriate user or group. CC ID 05314 | System hardening through configuration management | Preventive | |
| Verify the /etc/notrouter file is owned by an appropriate user or group. CC ID 05315 | System hardening through configuration management | Preventive | |
| Verify the /etc/samba/smb.conf file is owned by an appropriate user or group. CC ID 05316 | System hardening through configuration management | Preventive | |
| Verify the smbpasswd file and smbpasswd executable are owned by an appropriate user or group. CC ID 05317 | System hardening through configuration management | Preventive | |
| Verify the aliases file is owned by an appropriate user or group. CC ID 05318 | System hardening through configuration management | Preventive | |
| Verify Shell files are owned by an appropriate user or group. CC ID 05320 | System hardening through configuration management | Preventive | |
| Verify the snmpd.conf file is owned by an appropriate user or group. CC ID 05321 | System hardening through configuration management | Preventive | |
| Verify the /etc/syslog.conf file is owned by an appropriate user or group. CC ID 05322 | System hardening through configuration management | Preventive | |
| Verify the traceroute executable is owned by an appropriate user or group. CC ID 05323 | System hardening through configuration management | Preventive | |
| Verify the /etc/passwd file is owned by an appropriate user or group. CC ID 05325 | System hardening through configuration management | Preventive | |
| Verify the /etc/shadow file is owned by an appropriate user or group. CC ID 05326 | System hardening through configuration management | Preventive | |
| Verify the /etc/security/audit/config file is owned by an appropriate user or group. CC ID 05327 | System hardening through configuration management | Preventive | |
| Verify the /etc/securit/audit/events file is owned by an appropriate user or group. CC ID 05328 | System hardening through configuration management | Preventive | |
| Verify the /etc/security/audit/objects file is owned by an appropriate user or group. CC ID 05329 | System hardening through configuration management | Preventive | |
| Verify the /usr/lib/trcload file is owned by an appropriate user or group. CC ID 05330 | System hardening through configuration management | Preventive | |
| Verify the /usr/lib/semutil file is owned by an appropriate user or group. CC ID 05331 | System hardening through configuration management | Preventive | |
| Verify system files are owned by an appropriate user or group. CC ID 05332 | System hardening through configuration management | Preventive | |
| Verify the default/skeleton dot files are owned by an appropriate user or group. CC ID 05333 | System hardening through configuration management | Preventive | |
| Verify the global initialization files are owned by an appropriate user or group. CC ID 05334 | System hardening through configuration management | Preventive | |
| Verify the /etc/rc.config.d/auditing file is owned by an appropriate user or group. CC ID 05335 | System hardening through configuration management | Preventive | |
| Verify the /etc/init.d file is owned by an appropriate user or group. CC ID 05336 | System hardening through configuration management | Preventive | |
| Verify the /etc/hosts.lpd file is owned by an appropriate user or group. CC ID 05337 | System hardening through configuration management | Preventive | |
| Verify the /etc/auto.master file is owned by an appropriate user or group. CC ID 05338 | System hardening through configuration management | Preventive | |
| Verify the /etc/auto.misc file is owned by an appropriate user or group. CC ID 05339 | System hardening through configuration management | Preventive | |
| Verify the /etc/auto.net file is owned by an appropriate user or group. CC ID 05340 | System hardening through configuration management | Preventive | |
| Verify the boot/grub/grub.conf file is owned by an appropriate user or group. CC ID 05341 | System hardening through configuration management | Preventive | |
| Verify the /etc/lilo.conf file is owned by an appropriate user or group. CC ID 05342 | System hardening through configuration management | Preventive | |
| Verify the /etc/login.access file is owned by an appropriate user or group. CC ID 05343 | System hardening through configuration management | Preventive | |
| Verify the /etc/security/access.conf file is owned by an appropriate user or group. CC ID 05344 | System hardening through configuration management | Preventive | |
| Verify the /etc/sysctl.conf file is owned by an appropriate user or group. CC ID 05345 | System hardening through configuration management | Preventive | |
| Configure the "secure_redirects" setting to organizational standards. CC ID 09941 | System hardening through configuration management | Preventive | |
| Configure the "icmp_ignore_bogus_error_responses" setting to organizational standards. CC ID 09942 | System hardening through configuration management | Preventive | |
| Configure the "rp_filter" setting to organizational standards. CC ID 09943 | System hardening through configuration management | Preventive | |
| Verify the /etc/securetty file is owned by an appropriate user or group. CC ID 05346 | System hardening through configuration management | Preventive | |
| Verify the /etc/audit/auditd.conf file is owned by an appropriate user or group. CC ID 05347 | System hardening through configuration management | Preventive | |
| Verify the audit.rules file is owned by an appropriate user or group. CC ID 05348 | System hardening through configuration management | Preventive | |
| Verify the /etc/group file is owned by an appropriate user or group. CC ID 05349 | System hardening through configuration management | Preventive | |
| Verify the /etc/gshadow file is owned by an appropriate user or group. CC ID 05350 | System hardening through configuration management | Preventive | |
| Verify the /usr/sbin/userhelper file is owned by an appropriate user or group. CC ID 05351 | System hardening through configuration management | Preventive | |
| Verify all syslog log files are owned by an appropriate user or group. CC ID 05352 | System hardening through configuration management | Preventive | |
| Verify the /etc/anacrontab file is owned by an appropriate user or group. CC ID 05353 | System hardening through configuration management | Preventive | |
| Verify the /etc/pki/tls/ldap file is owned by an appropriate user or group. CC ID 05354 | System hardening through configuration management | Preventive | |
| Verify the /etc/pki/tls/ldap/serverkey.pem file is owned by an appropriate user or group. CC ID 05355 | System hardening through configuration management | Preventive | |
| Verify the /etc/pki/tls/CA/cacert.pem file is owned by an appropriate user or group. CC ID 05356 | System hardening through configuration management | Preventive | |
| Verify the /etc/pki/tls/ldap/servercert.pem file is owned by an appropriate user or group. CC ID 05357 | System hardening through configuration management | Preventive | |
| Verify the var/lib/ldap/* files are owned by an appropriate user or group. CC ID 05358 | System hardening through configuration management | Preventive | |
| Verify the /etc/httpd/conf/* files are owned by an appropriate user or group. CC ID 05359 | System hardening through configuration management | Preventive | |
| Verify the /etc/auto_* file is owned by an appropriate user. CC ID 05360 | System hardening through configuration management | Preventive | |
| Verify the /etc/rmmount.conf file is owned by an appropriate user or group. CC ID 05361 | System hardening through configuration management | Preventive | |
| Verify the /var/log/pamlog log is owned by an appropriate user or group. CC ID 05362 | System hardening through configuration management | Preventive | |
| Verify the /etc/security/audit_control file is owned by an appropriate user or group. CC ID 05363 | System hardening through configuration management | Preventive | |
| Verify the /etc/security/audit_class file is owned by an appropriate user or group. CC ID 05364 | System hardening through configuration management | Preventive | |
| Verify the /etc/security/audit_event file is owned by an appropriate user or group. CC ID 05365 | System hardening through configuration management | Preventive | |
| Verify the ASET userlist file is owned by an appropriate user or group. CC ID 05366 | System hardening through configuration management | Preventive | |
| Verify the /var directory is owned by an appropriate user. CC ID 05367 | System hardening through configuration management | Preventive | |
| Verify the /var/log directory is owned by an appropriate user. CC ID 05368 | System hardening through configuration management | Preventive | |
| Verify the /var/adm directory is owned by an appropriate user. CC ID 05369 | System hardening through configuration management | Preventive | |
| Restrict the debug level daemon logging file owner and daemon debug group owner. CC ID 05370 | System hardening through configuration management | Preventive | |
| Restrict the Cron log file owner and Cron group owner. CC ID 05371 | System hardening through configuration management | Preventive | |
| Restrict the system accounting file owner and system accounting group owner. CC ID 05372 | System hardening through configuration management | Preventive | |
| Restrict audit log file ownership and audit group ownership. CC ID 05373 | System hardening through configuration management | Preventive | |
| Set the X server timeout properly. CC ID 05374 | System hardening through configuration management | Preventive | |
| Configure each user's authentication mechanism (system attribute) properly. CC ID 05375 | System hardening through configuration management | Preventive | |
| Enable or disable SeLinux, as appropriate. CC ID 05376 | System hardening through configuration management | Preventive | |
| Set the SELinux state properly. CC ID 05377 | System hardening through configuration management | Preventive | |
| Set the SELinux policy properly. CC ID 05378 | System hardening through configuration management | Preventive | |
| Configure Dovecot properly. CC ID 05379 | System hardening through configuration management | Preventive | |
| Configure the "Prohibit Access of the Windows Connect Now Wizards" setting. CC ID 05380 | System hardening through configuration management | Preventive | |
| Configure the "Allow remote access to the PnP interface" setting. CC ID 05381 | System hardening through configuration management | Preventive | |
| Configure the "Do not create system restore point when new device driver installed" setting. CC ID 05382 | System hardening through configuration management | Preventive | |
| Configure the "Turn Off Access to All Windows Update Feature" setting. CC ID 05383 | System hardening through configuration management | Preventive | |
| Configure the "Turn Off Automatic Root Certificates Update" setting. CC ID 05384 | System hardening through configuration management | Preventive | |
| Configure the "Turn Off Event Views 'Events.asp' Links" setting. CC ID 05385 | System hardening through configuration management | Preventive | |
| Configure "Turn Off Handwriting Recognition Error Reporting" to organizational standards. CC ID 05386 | System hardening through configuration management | Preventive | |
| Configure the "Turn off Help and Support Center 'Did You Know?' content" setting. CC ID 05387 | System hardening through configuration management | Preventive | |
| Configure the "Turn Off Help and Support Center Microsoft Knowledge Base Search" setting. CC ID 05388 | System hardening through configuration management | Preventive | |
| Configure the "Turn Off Internet File Association Service" setting. CC ID 05389 | System hardening through configuration management | Preventive | |
| Configure the "Turn Off Registration if URL Connection is Referring to Microsoft.com" setting. CC ID 05390 | System hardening through configuration management | Preventive | |
| Configure the "Turn off the 'Order Prints' Picture task" setting. CC ID 05391 | System hardening through configuration management | Preventive | |
| Configure the "Turn Off Windows Movie Maker Online Web Links" setting. CC ID 05392 | System hardening through configuration management | Preventive | |
| Configure the "Turn Off Windows Movie Maker Saving to Online Video Hosting Provider" setting. CC ID 05393 | System hardening through configuration management | Preventive | |
| Configure the "Don't Display the Getting Started Welcome Screen at Logon" setting. CC ID 05394 | System hardening through configuration management | Preventive | |
| Configure the "Turn off Windows Startup Sound" setting. CC ID 05395 | System hardening through configuration management | Preventive | |
| Configure the "Allow only Vista or later connections" setting. CC ID 05396 | System hardening through configuration management | Preventive | |
| Configure the "Turn on bandwidth optimization" setting. CC ID 05397 | System hardening through configuration management | Preventive | |
| Configure the "Prevent IIS Installation" setting. CC ID 05398 | System hardening through configuration management | Preventive | |
| Configure the "Turn off Active Help" setting. CC ID 05399 | System hardening through configuration management | Preventive | |
| Configure the "Turn off Untrusted Content" setting. CC ID 05400 | System hardening through configuration management | Preventive | |
| Configure the "Turn off downloading of enclosures" setting. CC ID 05401 | System hardening through configuration management | Preventive | |
| Configure "Allow indexing of encrypted files" to organizational standards. CC ID 05402 | System hardening through configuration management | Preventive | |
| Configure the "Prevent indexing uncached Exchange folders" setting. CC ID 05403 | System hardening through configuration management | Preventive | |
| Configure the "Turn off Windows Calendar" setting. CC ID 05404 | System hardening through configuration management | Preventive | |
| Configure the "Turn off Windows Defender" setting. CC ID 05405 | System hardening through configuration management | Preventive | |
| Configure the "Turn off Heap termination on corruption" setting to organizational standards. CC ID 05406 | System hardening through configuration management | Preventive | |
| Configure the "Turn off shell protocol protected mode" setting to organizational standards. CC ID 05407 | System hardening through configuration management | Preventive | |
| Configure the "Prohibit non-administrators from applying vendor signed updates" setting. CC ID 05408 | System hardening through configuration management | Preventive | |
| Configure the "Report when logon server was not available during user logon" setting. CC ID 05409 | System hardening through configuration management | Preventive | |
| Configure the "Turn off the communication features" setting. CC ID 05410 | System hardening through configuration management | Preventive | |
| Configure the "Turn off Windows Mail application" setting. CC ID 05411 | System hardening through configuration management | Preventive | |
| Configure the "Prevent Windows Media DRM Internet Access" setting. CC ID 05412 | System hardening through configuration management | Preventive | |
| Configure the "Turn off Windows Meeting Space" setting. CC ID 05413 | System hardening through configuration management | Preventive | |
| Configure the "Turn on Windows Meeting Space auditing" setting. CC ID 05414 | System hardening through configuration management | Preventive | |
| Configure the "Disable unpacking and installation of gadgets that are not digitally signed" setting. CC ID 05415 | System hardening through configuration management | Preventive | |
| Configure the "Override the More Gadgets Link" setting. CC ID 05416 | System hardening through configuration management | Preventive | |
| Configure the "Turn Off User Installed Windows Sidebar Gadgets" setting. CC ID 05417 | System hardening through configuration management | Preventive | |
| Configure the "Do not allow Digital Locker to run" setting. CC ID 05418 | System hardening through configuration management | Preventive | |
| Configure the "Turn off Downloading of Game Information" setting. CC ID 05419 | System hardening through configuration management | Preventive | |
| Configure "Turn on Responder (RSPNDR) driver" to organizational standards. CC ID 05420 | System hardening through configuration management | Preventive | |
| Verify ExecShield has been randomly placed in Virtual Memory regions. CC ID 05436 | System hardening through configuration management | Preventive | |
| Enable the ExecShield, as appropriate. CC ID 05421 | System hardening through configuration management | Preventive | |
| Configure Kernel support for the XD/NX processor feature, as appropriate. CC ID 05422 | System hardening through configuration management | Preventive | |
| Configure the XD/NX processor feature in the BIOS, as appropriate. CC ID 05423 | System hardening through configuration management | Preventive | |
| Configure the Shell for the bin account properly. CC ID 05424 | System hardening through configuration management | Preventive | |
| Configure the Shell for the nuucp account properly. CC ID 05425 | System hardening through configuration management | Preventive | |
| Configure the Shell for the smmsp account properly. CC ID 05426 | System hardening through configuration management | Preventive | |
| Configure the Shell for the listen account properly. CC ID 05427 | System hardening through configuration management | Preventive | |
| Configure the Shell for the gdm account properly. CC ID 05428 | System hardening through configuration management | Preventive | |
| Configure the Shell for the webservd account properly. CC ID 05429 | System hardening through configuration management | Preventive | |
| Configure the Shell for the nobody account properly. CC ID 05430 | System hardening through configuration management | Preventive | |
| Configure the Shell for the noaccess account properly. CC ID 05431 | System hardening through configuration management | Preventive | |
| Configure the Shell for the nobody4 account properly. CC ID 05432 | System hardening through configuration management | Preventive | |
| Configure the Shell for the adm account properly. CC ID 05433 | System hardening through configuration management | Preventive | |
| Configure the Shell for the lp account properly. CC ID 05434 | System hardening through configuration management | Preventive | |
| Configure the Shell for the uucp account properly. CC ID 05435 | System hardening through configuration management | Preventive | |
| Set the noexec_user_stack parameter properly. CC ID 05437 | System hardening through configuration management | Preventive | |
| Set the no_exec_user_stack_log parameter properly. CC ID 05438 | System hardening through configuration management | Preventive | |
| Set the noexec_user_stack flag on the user stack properly. CC ID 05439 | System hardening through configuration management | Preventive | |
| Set the TCP max connection limit properly. CC ID 05440 | System hardening through configuration management | Preventive | |
| Set the TCP abort interval properly. CC ID 05441 | System hardening through configuration management | Preventive | |
| Enable or disable the GNOME screenlock, as appropriate. CC ID 05442 | System hardening through configuration management | Preventive | |
| Set the ARP cache cleanup interval properly. CC ID 05443 | System hardening through configuration management | Preventive | |
| Set the ARP IRE scan rate properly. CC ID 05444 | System hardening through configuration management | Preventive | |
| Disable proxy ARP on all interfaces. CC ID 06570 | System hardening through configuration management | Preventive | |
| Set the FileSpaceSwitch variable to an appropriate value. CC ID 05445 | System hardening through configuration management | Preventive | |
| Set the wakeup switchpoint frequency to an appropriate time interval. CC ID 05446 | System hardening through configuration management | Preventive | |
| Enable or disable the setuid option on removable storage media, as appropriate. CC ID 05447 | System hardening through configuration management | Preventive | |
| Configure TCP/IP PMTU Discovery, as appropriate. CC ID 05991 | System hardening through configuration management | Preventive | |
| Configure Secure Shell to enable or disable empty passwords, as appropriate. CC ID 06016 | System hardening through configuration management | Preventive | |
| Configure each user's Screen Saver Executable Name. CC ID 06027 | System hardening through configuration management | Preventive | |
| Configure the NIS+ server to operate at an appropriate security level. CC ID 06038 | System hardening through configuration management | Preventive | |
| Configure the "restrict guest access to system log" policy, as appropriate. CC ID 06047 | System hardening through configuration management | Preventive | |
| Configure the "Block saving of Open XML file types" setting, as appropriate. CC ID 06048 | System hardening through configuration management | Preventive | |
| Enable or disable user-initiated system crashes via the CTRL+SCROLL LOCK+SCROLL LOCK sequence for keyboards. CC ID 06051 | System hardening through configuration management | Preventive | |
| Configure the "Syskey mode" to organizational standards. CC ID 06052 | System hardening through configuration management | Preventive | |
| Configure the Trusted Platform Module (TPM) platform validation profile, as appropriate. CC ID 06056 | System hardening through configuration management | Preventive | |
| Configure the "Allow Remote Shell Access" setting, as appropriate. CC ID 06057 | System hardening through configuration management | Preventive | |
| Configure the "Prevent the computer from joining a homegroup" setting, as appropriate. CC ID 06058 | System hardening through configuration management | Preventive | |
| Enable or disable the authenticator requirement after waking, as appropriate. CC ID 06059 | System hardening through configuration management | Preventive | |
| Enable or disable the standby states, as appropriate. CC ID 06060 | System hardening through configuration management | Preventive | |
| Configure the Trusted Platform Module startup options properly. CC ID 06061 | System hardening through configuration management | Preventive | |
| Configure the system to purge Policy Caches. CC ID 06569 | System hardening through configuration management | Preventive | |
| Separate authenticator files and application system data on different file systems. CC ID 06790 | System hardening through configuration management | Preventive | |
| Configure Application Programming Interfaces to limit or shut down interactivity based upon a rate limit. CC ID 06811 | System hardening through configuration management | Preventive | |
| Configure the "Executable stack" setting to organizational standards. CC ID 08969 | System hardening through configuration management | Preventive | |
| Configure the "smbpasswd executable" user ownership to organizational standards. CC ID 08975 | System hardening through configuration management | Preventive | |
| Configure the "traceroute executable" group ownership to organizational standards. CC ID 08980 | System hardening through configuration management | Preventive | |
| Configure the "traceroute executable" user ownership to organizational standards. CC ID 08981 | System hardening through configuration management | Preventive | |
| Configure the "Apache configuration" directory group ownership to organizational standards. CC ID 08991 | System hardening through configuration management | Preventive | |
| Configure the "Apache configuration" directory user ownership to organizational standards. CC ID 08992 | System hardening through configuration management | Preventive | |
| Configure the "/var/log/httpd/" file group ownership to organizational standards. CC ID 09027 | System hardening through configuration management | Preventive | |
| Configure the "/etc/httpd/conf.d" file group ownership to organizational standards. CC ID 09028 | System hardening through configuration management | Preventive | |
| Configure the "/etc/httpd/conf/passwd" file group ownership to organizational standards. CC ID 09029 | System hardening through configuration management | Preventive | |
| Configure the "/usr/sbin/apachectl" file group ownership to organizational standards. CC ID 09030 | System hardening through configuration management | Preventive | |
| Configure the "/usr/sbin/httpd" file group ownership to organizational standards. CC ID 09031 | System hardening through configuration management | Preventive | |
| Configure the "/var/www/html" file group ownership to organizational standards. CC ID 09032 | System hardening through configuration management | Preventive | |
| Configure the "log files" the "/var/log/httpd/" directory user ownership to organizational standards. CC ID 09034 | System hardening through configuration management | Preventive | |
| Configure the "/etc/httpd/conf.d" file ownership to organizational standards. CC ID 09035 | System hardening through configuration management | Preventive | |
| Configure the "/etc/httpd/conf/passwd" file ownership to organizational standards. CC ID 09036 | System hardening through configuration management | Preventive | |
| Configure the "/usr/sbin/apachectl" file ownership to organizational standards. CC ID 09037 | System hardening through configuration management | Preventive | |
| Configure the "/usr/sbin/httpd" file ownership to organizational standards. CC ID 09038 | System hardening through configuration management | Preventive | |
| Configure the "/var/www/html" file ownership to organizational standards. CC ID 09039 | System hardening through configuration management | Preventive | |
| Configure the "httpd.conf" file user ownership to organizational standards. CC ID 09055 | System hardening through configuration management | Preventive | |
| Configure the "httpd.conf" group ownership to organizational standards. CC ID 09056 | System hardening through configuration management | Preventive | |
| Configure the "htpasswd" file user ownership to organizational standards. CC ID 09058 | System hardening through configuration management | Preventive | |
| Configure the "htpasswd" file group ownership to organizational standards. CC ID 09059 | System hardening through configuration management | Preventive | |
| Configure the "files specified by CustomLog" user ownership to organizational standards. CC ID 09074 | System hardening through configuration management | Preventive | |
| Configure the "files specified by CustomLog" group ownership to organizational standards. CC ID 09075 | System hardening through configuration management | Preventive | |
| Configure the "files specified by ErrorLog" user ownership to organizational standards. CC ID 09076 | System hardening through configuration management | Preventive | |
| Configure the "files specified by ErrorLog" group ownership to organizational standards. CC ID 09077 | System hardening through configuration management | Preventive | |
| Configure the "directories specified by ScriptAlias" user ownership to organizational standards. CC ID 09079 | System hardening through configuration management | Preventive | |
| Configure the "directories specified by ScriptAlias" group ownership to organizational standards. CC ID 09080 | System hardening through configuration management | Preventive | |
| Configure the "directories specified by ScriptAliasMatch" user ownership to organizational standards. CC ID 09082 | System hardening through configuration management | Preventive | |
| Configure the "directories specified by ScriptAliasMatch" group ownership to organizational standards. CC ID 09083 | System hardening through configuration management | Preventive | |
| Configure the "directories specified by DocumentRoot" user ownership to organizational standards. CC ID 09085 | System hardening through configuration management | Preventive | |
| Configure the "directories specified by DocumentRoot" group ownership to organizational standards. CC ID 09086 | System hardening through configuration management | Preventive | |
| Configure the "directories specified by Alias" user ownership to organizational standards. CC ID 09088 | System hardening through configuration management | Preventive | |
| Configure the "directories specified by Alias" group ownership to organizational standards. CC ID 09089 | System hardening through configuration management | Preventive | |
| Configure the "directories specified by ServerRoot" user ownership to organizational standards. CC ID 09091 | System hardening through configuration management | Preventive | |
| Configure the "directories specified by ServerRoot" group ownership to organizational standards. CC ID 09092 | System hardening through configuration management | Preventive | |
| Configure the "apache /bin" directory user ownership to organizational standards. CC ID 09094 | System hardening through configuration management | Preventive | |
| Configure the "apache /bin" directory group ownership to organizational standards. CC ID 09095 | System hardening through configuration management | Preventive | |
| Configure the "apache /logs" directory user ownership to organizational standards. CC ID 09097 | System hardening through configuration management | Preventive | |
| Configure the "apache /logs" directory group ownership to organizational standards. CC ID 09098 | System hardening through configuration management | Preventive | |
| Configure the "apache /htdocs" directory user ownership to organizational standards. CC ID 09100 | System hardening through configuration management | Preventive | |
| Configure the "apache /htdocs" directory group ownership to organizational standards. CC ID 09101 | System hardening through configuration management | Preventive | |
| Configure the "apache /cgi-bin" directory group ownership to organizational standards. CC ID 09104 | System hardening through configuration management | Preventive | |
| Configure the "User-specific directories" setting to organizational standards. CC ID 09123 | System hardening through configuration management | Preventive | |
| Configure the "apache process ID" file user ownership to organizational standards. CC ID 09125 | System hardening through configuration management | Preventive | |
| Configure the "apache process ID" file group ownership to organizational standards. CC ID 09126 | System hardening through configuration management | Preventive | |
| Configure the "apache scoreboard" file user ownership to organizational standards. CC ID 09128 | System hardening through configuration management | Preventive | |
| Configure the "apache scoreboard" file group ownership to organizational standards. CC ID 09129 | System hardening through configuration management | Preventive | |
| Configure the "Ownership of the asymmetric keys" setting to organizational standards. CC ID 09289 | System hardening through configuration management | Preventive | |
| Configure the "SQLServer2005ReportServerUser" registry key permissions to organizational standards. CC ID 09326 | System hardening through configuration management | Preventive | |
| Configure the "SQLServerADHelperUser" registry key permissions to organizational standards. CC ID 09329 | System hardening through configuration management | Preventive | |
| Configure the "Tomcat home" directory user ownership to organizational standards. CC ID 09772 | System hardening through configuration management | Preventive | |
| Configure the "group" setting for the "Tomcat installation" to organizational standards. CC ID 09773 | System hardening through configuration management | Preventive | |
| Configure the "tomcat conf/" directory user ownership to organizational standards. CC ID 09774 | System hardening through configuration management | Preventive | |
| Configure the "tomcat conf/" directory group ownership to organizational standards. CC ID 09775 | System hardening through configuration management | Preventive | |
| Configure the "tomcat-users.xml" file user ownership to organizational standards. CC ID 09776 | System hardening through configuration management | Preventive | |
| Configure the "tomcat-users.xml" file group ownership to organizational standards. CC ID 09777 | System hardening through configuration management | Preventive | |
| Configure the "group membership" setting for "Tomcat" to organizational standards. CC ID 09793 | System hardening through configuration management | Preventive | |
| Configure the "Tomcat home" directory group ownership to organizational standards. CC ID 09798 | System hardening through configuration management | Preventive | |
| Configure the "Tomcat home/conf/" directory user ownership to organizational standards. CC ID 09800 | System hardening through configuration management | Preventive | |
| Configure the "Tomcat home/conf/" directory group ownership to organizational standards. CC ID 09801 | System hardening through configuration management | Preventive | |
| Configure the "system" files permissions to organizational standards. CC ID 09922 | System hardening through configuration management | Preventive | |
| Configure the "size limit" setting for the "application log" to organizational standards. CC ID 10063 | System hardening through configuration management | Preventive | |
| Configure the "restrict guest access to security log" setting to organizational standards. CC ID 10064 | System hardening through configuration management | Preventive | |
| Configure the "size limit" setting for the "system log" to organizational standards. CC ID 10065 | System hardening through configuration management | Preventive | |
| Configure the "Automatic Update service" setting to organizational standards. CC ID 10066 | System hardening through configuration management | Preventive | |
| Configure the "Safe DLL Search Mode" setting to organizational standards. CC ID 10067 | System hardening through configuration management | Preventive | |
| Configure the "screensaver" setting to organizational standards. CC ID 10068 | System hardening through configuration management | Preventive | |
| Configure the "screensaver" setting for the "default" user to organizational standards. CC ID 10069 | System hardening through configuration management | Preventive | |
| Configure the "Enable User Control Over Installs" setting to organizational standards. CC ID 10070 | System hardening through configuration management | Preventive | |
| Configure the "Enable User to Browser for Source While Elevated" setting to organizational standards. CC ID 10071 | System hardening through configuration management | Preventive | |
| Configure the "Enable User to Use Media Source While Elevated" setting to organizational standards. CC ID 10072 | System hardening through configuration management | Preventive | |
| Configure the "Allow Administrator to Install from Terminal Services Session" setting to organizational standards. CC ID 10073 | System hardening through configuration management | Preventive | |
| Configure the "Enable User to Patch Elevated Products" setting to organizational standards. CC ID 10074 | System hardening through configuration management | Preventive | |
| Configure the "Cache Transforms in Secure Location" setting to organizational standards. CC ID 10075 | System hardening through configuration management | Preventive | |
| Configure the "Disable Media Player for automatic updates" setting to organizational standards. CC ID 10076 | System hardening through configuration management | Preventive | |
| Configure the "Internet access for Windows Messenger" setting to organizational standards. CC ID 10077 | System hardening through configuration management | Preventive | |
| Configure the "Do Not Automatically Start Windows Messenger" setting to organizational standards. CC ID 10078 | System hardening through configuration management | Preventive | |
| Configure the "Hide Property Pages" setting for the "task scheduler" to organizational standards. CC ID 10079 | System hardening through configuration management | Preventive | |
| Configure the "Prohibit New Task Creation" setting for the "task scheduler" to organizational standards. CC ID 10080 | System hardening through configuration management | Preventive | |
| Configure "Set time limit for disconnected sessions" to organizational standards. CC ID 10081 | System hardening through configuration management | Preventive | |
| Configure the "Set time limit for idle sessions" setting to organizational standards. CC ID 10082 | System hardening through configuration management | Preventive | |
| Configure the "Enable Keep-Alive Messages" setting to organizational standards. CC ID 10083 | System hardening through configuration management | Preventive | |
| Configure the "Automatic Updates detection frequency" setting to organizational standards. CC ID 10084 | System hardening through configuration management | Preventive | |
| Configure the "TCPMaxPortsExhausted" setting to organizational standards. CC ID 10085 | System hardening through configuration management | Preventive | |
| Configure the "built-in Administrator" account to organizational standards. CC ID 10086 | System hardening through configuration management | Preventive | |
| Configure the "Prevent System Maintenance of Computer Account Password" setting to organizational standards. CC ID 10087 | System hardening through configuration management | Preventive | |
| Configure the "Digitally Sign Client Communication (When Possible)" setting to organizational standards. CC ID 10088 | System hardening through configuration management | Preventive | |
| Configure the "number of SYN-ACK retransmissions sent when attempting to respond to a SYN request" setting to organizational standards. CC ID 10089 | System hardening through configuration management | Preventive | |
| Configure the "warning level" setting for the "audit log" to organizational standards. CC ID 10090 | System hardening through configuration management | Preventive | |
| Configure the "Change Password" setting for the "Ctrl+Alt+Del dialog" to organizational standards. CC ID 10091 | System hardening through configuration management | Preventive | |
| Configure the "account description" setting for the "built-in Administrator" account to organizational standards. CC ID 10092 | System hardening through configuration management | Preventive | |
| Configure the "Decoy Admin Account Not Disabled" setting to organizational standards. CC ID 10201 | System hardening through configuration management | Preventive | |
| Configure the "when maximum log size is reached" setting for the "Application log" to organizational standards. CC ID 10202 | System hardening through configuration management | Preventive | |
| Configure the "password filtering DLL" setting to organizational standards. CC ID 10203 | System hardening through configuration management | Preventive | |
| Configure the "Anonymous access to the registry" setting to organizational standards. CC ID 10204 | System hardening through configuration management | Preventive | |
| Configure the "Automatic Execution" setting for the "System Debugger" to organizational standards. CC ID 10205 | System hardening through configuration management | Preventive | |
| Configure the "CD-ROM Autorun" setting to organizational standards. CC ID 10206 | System hardening through configuration management | Preventive | |
| Configure the "ResetBrowser Frames" setting to organizational standards. CC ID 10207 | System hardening through configuration management | Preventive | |
| Configure the "Dr. Watson Crash Dumps" setting to organizational standards. CC ID 10208 | System hardening through configuration management | Preventive | |
| Configure the "File System Checker and Popups" setting to organizational standards. CC ID 10209 | System hardening through configuration management | Preventive | |
| Configure the "System File Checker" setting to organizational standards. CC ID 10210 | System hardening through configuration management | Preventive | |
| Configure the "System File Checker Progress Meter" setting to organizational standards. CC ID 10211 | System hardening through configuration management | Preventive | |
| Configure the "number of TCP/IP Maximum Half-open Sockets" setting to organizational standards. CC ID 10212 | System hardening through configuration management | Preventive | |
| Configure the "number of TCP/IP Maximum Retried Half-open Sockets" setting to organizational standards. CC ID 10213 | System hardening through configuration management | Preventive | |
| Configure the "Protect Kernel object attributes" setting to organizational standards. CC ID 10214 | System hardening through configuration management | Preventive | |
| Configure the "Unsigned Non-Driver Installation Behavior" setting to organizational standards. CC ID 10215 | System hardening through configuration management | Preventive | |
| Configure the "Automatically Log Off Users When Logon Time Expires (local)" setting to organizational standards. CC ID 10216 | System hardening through configuration management | Preventive | |
| Configure the "Local volumes" setting to organizational standards. CC ID 10217 | System hardening through configuration management | Preventive | |
| Configure the "Unused USB Ports" setting to organizational standards. CC ID 10218 | System hardening through configuration management | Preventive | |
| Configure the "Set Safe for Scripting" setting to organizational standards. CC ID 10219 | System hardening through configuration management | Preventive | |
| Configure the "Use of the Recycle Bin on file deletion" setting to organizational standards. CC ID 10220 | System hardening through configuration management | Preventive | |
| Configure the "Membership in the Power Users group" setting to organizational standards. CC ID 10224 | System hardening through configuration management | Preventive | |
| Configure the "AutoBackupLogFiles" setting for the "security log" to organizational standards. CC ID 10225 | System hardening through configuration management | Preventive | |
| Configure the "AutoBackupLogFiles" setting for the "application log" to organizational standards. CC ID 10226 | System hardening through configuration management | Preventive | |
| Configure the "AutoBackupLogFiles" setting for the "system log" to organizational standards. CC ID 10227 | System hardening through configuration management | Preventive | |
| Configure the "Syskey Encryption Key location and password method" setting to organizational standards. CC ID 10228 | System hardening through configuration management | Preventive | |
| Configure the "Os2LibPath environmental variable" setting to organizational standards. CC ID 10229 | System hardening through configuration management | Preventive | |
| Configure the "path to the Microsoft OS/2 version 1.x library" setting to organizational standards. CC ID 10230 | System hardening through configuration management | Preventive | |
| Configure the "location of the OS/2 subsystem" setting to organizational standards. CC ID 10231 | System hardening through configuration management | Preventive | |
| Configure the "location of the POSIX subsystem" setting to organizational standards. CC ID 10232 | System hardening through configuration management | Preventive | |
| Configure the "path to the debugger used for Just-In-Time debugging" setting to organizational standards. CC ID 10234 | System hardening through configuration management | Preventive | |
| Configure the "Distributed Component Object Model (DCOM)" setting to organizational standards. CC ID 10235 | System hardening through configuration management | Preventive | |
| Configure the "The "encryption algorithm" setting for "EFS"" setting to organizational standards. CC ID 10236 | System hardening through configuration management | Preventive | |
| Configure the "Interix Subsystem Startup service startup type" setting to organizational standards. CC ID 10238 | System hardening through configuration management | Preventive | |
| Configure the "Services for Unix Perl Socket service startup type" setting to organizational standards. CC ID 10247 | System hardening through configuration management | Preventive | |
| Configure the "Services for Unix Windows Cron service startup type" setting to organizational standards. CC ID 10248 | System hardening through configuration management | Preventive | |
| Configure the "fDisableCdm" setting to organizational standards. CC ID 10259 | System hardening through configuration management | Preventive | |
| Configure the "fDisableClip" setting to organizational standards. CC ID 10260 | System hardening through configuration management | Preventive | |
| Configure the "Inheritance of the shadow setting" setting to organizational standards. CC ID 10261 | System hardening through configuration management | Preventive | |
| Configure the "remote control configuration" setting to organizational standards. CC ID 10262 | System hardening through configuration management | Preventive | |
| Configure the "fDisableCam" setting to organizational standards. CC ID 10263 | System hardening through configuration management | Preventive | |
| Configure the "fDisableCcm" setting to organizational standards. CC ID 10264 | System hardening through configuration management | Preventive | |
| Configure the "fDisableLPT" setting to organizational standards. CC ID 10265 | System hardening through configuration management | Preventive | |
| Configure the "ActiveX installation policy for sites in Trusted zones" setting to organizational standards. CC ID 10691 | System hardening through configuration management | Preventive | |
| Configure the "Add the Administrators security group to roaming user profiles" setting to organizational standards. CC ID 10694 | System hardening through configuration management | Preventive | |
| Configure the "Administratively assigned offline files" setting to organizational standards. CC ID 10695 | System hardening through configuration management | Preventive | |
| Configure the "Apply policy to removable media" setting to organizational standards. CC ID 10756 | System hardening through configuration management | Preventive | |
| Configure the "Baseline file cache maximum size" setting to organizational standards. CC ID 10763 | System hardening through configuration management | Preventive | |
| Configure the "Check for New Signatures Before Scheduled Scans" setting to organizational standards. CC ID 10770 | System hardening through configuration management | Preventive | |
| Configure the "Check published state" setting to organizational standards. CC ID 10771 | System hardening through configuration management | Preventive | |
| Configure the "Communities" setting to organizational standards. CC ID 10772 | System hardening through configuration management | Preventive | |
| Configure the "Computer location" setting to organizational standards. CC ID 10773 | System hardening through configuration management | Preventive | |
| Configure the "Background Sync" setting to organizational standards. CC ID 10775 | System hardening through configuration management | Preventive | |
| Configure the "Corporate Windows Error Reporting" setting to organizational standards. CC ID 10777 | System hardening through configuration management | Preventive | |
| Configure the "Corrupted File Recovery Behavior" setting to organizational standards. CC ID 10778 | System hardening through configuration management | Preventive | |
| Configure the "Default consent" setting to organizational standards. CC ID 10780 | System hardening through configuration management | Preventive | |
| Configure the "list of IEEE 1667 silos usable on your computer" setting to organizational standards. CC ID 10792 | System hardening through configuration management | Preventive | |
| Configure the "Microsoft SpyNet Reporting" setting to organizational standards. CC ID 10794 | System hardening through configuration management | Preventive | |
| Configure the "MSI Corrupted File Recovery Behavior" setting to organizational standards. CC ID 10795 | System hardening through configuration management | Preventive | |
| Configure the "Reliability WMI Providers" setting to organizational standards. CC ID 10804 | System hardening through configuration management | Preventive | |
| Configure the "Report Archive" setting to organizational standards. CC ID 10805 | System hardening through configuration management | Preventive | |
| Configure the "Report Queue" setting to organizational standards. CC ID 10806 | System hardening through configuration management | Preventive | |
| Configure the "root certificate clean up" setting to organizational standards. CC ID 10807 | System hardening through configuration management | Preventive | |
| Configure the "Security Policy for Scripted Diagnostics" setting to organizational standards. CC ID 10816 | System hardening through configuration management | Preventive | |
| Configure the "list of blocked TPM commands" setting to organizational standards. CC ID 10822 | System hardening through configuration management | Preventive | |
| Configure the "refresh interval for Server Manager" setting to organizational standards. CC ID 10823 | System hardening through configuration management | Preventive | |
| Configure the "server address, refresh interval, and issuer certificate authority of a target Subscription Manager" setting to organizational standards. CC ID 10824 | System hardening through configuration management | Preventive | |
| Configure the "Customize consent settings" setting to organizational standards. CC ID 10837 | System hardening through configuration management | Preventive | |
| Configure the "Default behavior for AutoRun" setting to organizational standards. CC ID 10839 | System hardening through configuration management | Preventive | |
| Configure the "Define Activation Security Check exemptions" setting to organizational standards. CC ID 10841 | System hardening through configuration management | Preventive | |
| Configure the "Define host name-to-Kerberos realm mappings" setting to organizational standards. CC ID 10842 | System hardening through configuration management | Preventive | |
| Configure the "Define interoperable Kerberos V5 realm settings" setting to organizational standards. CC ID 10843 | System hardening through configuration management | Preventive | |
| Configure the "Delay Restart for scheduled installations" setting to organizational standards. CC ID 10844 | System hardening through configuration management | Preventive | |
| Configure the "Delete cached copies of roaming profiles" setting to organizational standards. CC ID 10845 | System hardening through configuration management | Preventive | |
| Configure the "Delete user profiles older than a specified number of days on system restart" setting to organizational standards. CC ID 10847 | System hardening through configuration management | Preventive | |
| Configure the "Diagnostics: Configure scenario retention" setting to organizational standards. CC ID 10857 | System hardening through configuration management | Preventive | |
| Configure the "Directory pruning interval" setting to organizational standards. CC ID 10858 | System hardening through configuration management | Preventive | |
| Configure the "Directory pruning priority" setting to organizational standards. CC ID 10859 | System hardening through configuration management | Preventive | |
| Configure the "Directory pruning retry" setting to organizational standards. CC ID 10860 | System hardening through configuration management | Preventive | |
| Configure the "Disk Diagnostic: Configure custom alert text" setting to organizational standards. CC ID 10882 | System hardening through configuration management | Preventive | |
| Configure the "Display Shutdown Event Tracker" setting to organizational standards. CC ID 10888 | System hardening through configuration management | Preventive | |
| Configure the "Display string when smart card is blocked" setting to organizational standards. CC ID 10889 | System hardening through configuration management | Preventive | |
| Configure the "Do not automatically encrypt files moved to encrypted folders" setting to organizational standards. CC ID 10924 | System hardening through configuration management | Preventive | |
| Configure the "Do not check for user ownership of Roaming Profile Folders" setting to organizational standards. CC ID 10925 | System hardening through configuration management | Preventive | |
| Configure the "Do not process incoming mailslot messages used for domain controller location based on NetBIOS domain names" setting to organizational standards. CC ID 10932 | System hardening through configuration management | Preventive | |
| Configure the "Do not send additional data" machine setting should be configured correctly. to organizational standards. CC ID 10934 | System hardening through configuration management | Preventive | |
| Configure the "Domain Controller Address Type Returned" setting to organizational standards. CC ID 10939 | System hardening through configuration management | Preventive | |
| Configure the "Domain Location Determination URL" setting to organizational standards. CC ID 10940 | System hardening through configuration management | Preventive | |
| Configure the "Don't set the always do this checkbox" setting to organizational standards. CC ID 10941 | System hardening through configuration management | Preventive | |
| Configure the "Download missing COM components" setting to organizational standards. CC ID 10942 | System hardening through configuration management | Preventive | |
| Configure the "Dynamic Update" setting to organizational standards. CC ID 10944 | System hardening through configuration management | Preventive | |
| Configure the "Enable client-side targeting" setting to organizational standards. CC ID 10946 | System hardening through configuration management | Preventive | |
| Configure the "Enable NTFS pagefile encryption" setting to organizational standards. CC ID 10948 | System hardening through configuration management | Preventive | |
| Configure the "Enable Persistent Time Stamp" setting to organizational standards. CC ID 10949 | System hardening through configuration management | Preventive | |
| Configure the "Enable Transparent Caching" setting to organizational standards. CC ID 10950 | System hardening through configuration management | Preventive | |
| Configure the "Enable Windows NTP Client" setting to organizational standards. CC ID 10951 | System hardening through configuration management | Preventive | |
| Configure the "Enable Windows NTP Server" setting to organizational standards. CC ID 10952 | System hardening through configuration management | Preventive | |
| Configure the "Encrypt the Offline Files cache" setting to organizational standards. CC ID 10955 | System hardening through configuration management | Preventive | |
| Configure the "Enforce upgrade component rules" setting to organizational standards. CC ID 10958 | System hardening through configuration management | Preventive | |
| Configure the "Events.asp program" setting to organizational standards. CC ID 10959 | System hardening through configuration management | Preventive | |
| Configure the "Events.asp program command line parameters" setting to organizational standards. CC ID 10960 | System hardening through configuration management | Preventive | |
| Configure the "Events.asp URL" setting to organizational standards. CC ID 10961 | System hardening through configuration management | Preventive | |
| Configure the "Exclude credential providers" setting to organizational standards. CC ID 10962 | System hardening through configuration management | Preventive | |
| Configure the "Exclude files from being cached" setting to organizational standards. CC ID 10963 | System hardening through configuration management | Preventive | |
| Configure the "Final DC Discovery Retry Setting for Background Callers" setting to organizational standards. CC ID 10968 | System hardening through configuration management | Preventive | |
| Configure the "For tablet pen input, don't show the Input Panel icon" setting to organizational standards. CC ID 10973 | System hardening through configuration management | Preventive | |
| Configure the "For touch input, don't show the Input Panel icon" setting to organizational standards. CC ID 10974 | System hardening through configuration management | Preventive | |
| Configure the "Force Rediscovery Interval" setting to organizational standards. CC ID 10975 | System hardening through configuration management | Preventive | |
| Configure the "Force selected system UI language to overwrite the user UI language" setting to organizational standards. CC ID 10976 | System hardening through configuration management | Preventive | |
| Configure the "Force the reading of all certificates from the smart card" setting to organizational standards. CC ID 10977 | System hardening through configuration management | Preventive | |
| Configure the "ForwarderResourceUsage" setting to organizational standards. CC ID 10978 | System hardening through configuration management | Preventive | |
| Configure the "Global Configuration Settings" setting to organizational standards. CC ID 10979 | System hardening through configuration management | Preventive | |
| Configure the "Hash Publication for BranchCache" setting to organizational standards. CC ID 10986 | System hardening through configuration management | Preventive | |
| Configure the "Hide entry points for Fast User Switching" setting to organizational standards. CC ID 10987 | System hardening through configuration management | Preventive | |
| Configure the "Hide notifications about RD Licensing problems that affect the RD Session Host server" setting to organizational standards. CC ID 10988 | System hardening through configuration management | Preventive | |
| Configure the "Hide previous versions list for local files" setting to organizational standards. CC ID 10989 | System hardening through configuration management | Preventive | |
| Configure the "Hide previous versions of files on backup location" setting to organizational standards. CC ID 10991 | System hardening through configuration management | Preventive | |
| Configure the "Ignore custom consent settings" setting to organizational standards. CC ID 10992 | System hardening through configuration management | Preventive | |
| Configure the "Ignore Delegation Failure" setting to organizational standards. CC ID 10993 | System hardening through configuration management | Preventive | |
| Configure the "Ignore the default list of blocked TPM commands" setting to organizational standards. CC ID 10994 | System hardening through configuration management | Preventive | |
| Configure the "Ignore the local list of blocked TPM commands" setting to organizational standards. CC ID 10995 | System hardening through configuration management | Preventive | |
| Configure the "Include rarely used Chinese, Kanji, or Hanja characters" setting to organizational standards. CC ID 10996 | System hardening through configuration management | Preventive | |
| Configure the "Initial DC Discovery Retry Setting for Background Callers" setting to organizational standards. CC ID 10997 | System hardening through configuration management | Preventive | |
| Configure the "IP-HTTPS State" setting to organizational standards. CC ID 11000 | System hardening through configuration management | Preventive | |
| Configure the "ISATAP Router Name" setting to organizational standards. CC ID 11001 | System hardening through configuration management | Preventive | |
| Configure the "ISATAP State" setting to organizational standards. CC ID 11002 | System hardening through configuration management | Preventive | |
| Configure the "License server security group" setting to organizational standards. CC ID 11005 | System hardening through configuration management | Preventive | |
| Configure the "List of applications to be excluded" setting to organizational standards. CC ID 11023 | System hardening through configuration management | Preventive | |
| Configure the "Lock Enhanced Storage when the computer is locked" setting to organizational standards. CC ID 11025 | System hardening through configuration management | Preventive | |
| Configure the "Make Parental Controls control panel visible on a Domain" setting to organizational standards. CC ID 11039 | System hardening through configuration management | Preventive | |
| Configure the "MaxConcurrentUsers" setting to organizational standards. CC ID 11040 | System hardening through configuration management | Preventive | |
| Configure the "Maximum DC Discovery Retry Interval Setting for Background Callers" setting to organizational standards. CC ID 11041 | System hardening through configuration management | Preventive | |
| Configure the "Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with Support Provider" setting to organizational standards. CC ID 11045 | System hardening through configuration management | Preventive | |
| Configure the "Negative DC Discovery Cache Setting" setting to organizational standards. CC ID 11047 | System hardening through configuration management | Preventive | |
| Configure the "Non-conforming packets" setting to organizational standards. CC ID 11053 | System hardening through configuration management | Preventive | |
| Configure the "Notify blocked drivers" setting to organizational standards. CC ID 11054 | System hardening through configuration management | Preventive | |
| Configure the "Notify user of successful smart card driver installation" setting to organizational standards. CC ID 11055 | System hardening through configuration management | Preventive | |
| Configure the "Permitted Managers" setting to organizational standards. CC ID 11062 | System hardening through configuration management | Preventive | |
| Configure the "Positive Periodic DC Cache Refresh for Background Callers" setting to organizational standards. CC ID 11063 | System hardening through configuration management | Preventive | |
| Configure the "Positive Periodic DC Cache Refresh for Non-Background Callers" setting to organizational standards. CC ID 11064 | System hardening through configuration management | Preventive | |
| Configure the "Prioritize all digitally signed drivers equally during the driver ranking and selection process" setting to organizational standards. CC ID 11098 | System hardening through configuration management | Preventive | |
| Configure the "Prompt for credentials on the client computer" setting to organizational standards. CC ID 11108 | System hardening through configuration management | Preventive | |
| Configure the "Propagation of extended error information" setting to organizational standards. CC ID 11110 | System hardening through configuration management | Preventive | |
| Configure the "Register PTR Records" setting to organizational standards. CC ID 11121 | System hardening through configuration management | Preventive | |
| Configure the "Registration Refresh Interval" setting to organizational standards. CC ID 11122 | System hardening through configuration management | Preventive | |
| Configure the "Remove Program Compatibility Property Page" setting to organizational standards. CC ID 11128 | System hardening through configuration management | Preventive | |
| Configure the "Remove users ability to invoke machine policy refresh" setting to organizational standards. CC ID 11129 | System hardening through configuration management | Preventive | |
| Configure the "Remove Windows Security item from Start menu" setting to organizational standards. CC ID 11130 | System hardening through configuration management | Preventive | |
| Configure the "Re-prompt for restart with scheduled installations" setting to organizational standards. CC ID 11131 | System hardening through configuration management | Preventive | |
| Configure the "Require secure RPC communication" setting to organizational standards. CC ID 11134 | System hardening through configuration management | Preventive | |
| Configure the "Require strict KDC validation" setting to organizational standards. CC ID 11135 | System hardening through configuration management | Preventive | |
| Configure the "Reverse the subject name stored in a certificate when displaying" setting to organizational standards. CC ID 11148 | System hardening through configuration management | Preventive | |
| Configure the "RPC Troubleshooting State Information" setting to organizational standards. CC ID 11150 | System hardening through configuration management | Preventive | |
| Configure the "Run shutdown scripts visible" setting to organizational standards. CC ID 11152 | System hardening through configuration management | Preventive | |
| Configure the "Run startup scripts asynchronously" setting to organizational standards. CC ID 11153 | System hardening through configuration management | Preventive | |
| Configure the "Run startup scripts visible" setting to organizational standards. CC ID 11154 | System hardening through configuration management | Preventive | |
| Configure the "Scavenge Interval" setting to organizational standards. CC ID 11158 | System hardening through configuration management | Preventive | |
| Configure the "Server Authentication Certificate Template" setting to organizational standards. CC ID 11170 | System hardening through configuration management | Preventive | |
| Configure the "Set BranchCache Distributed Cache mode" setting to organizational standards. CC ID 11172 | System hardening through configuration management | Preventive | |
| Configure the "Set BranchCache Hosted Cache mode" setting to organizational standards. CC ID 11173 | System hardening through configuration management | Preventive | |
| Configure the "Set compression algorithm for RDP data" setting to organizational standards. CC ID 11174 | System hardening through configuration management | Preventive | |
| Configure the "Set percentage of disk space used for client computer cache" setting to organizational standards. CC ID 11177 | System hardening through configuration management | Preventive | |
| Configure the "Set PNRP cloud to resolve only" setting for "IPv6 Global" to organizational standards. CC ID 11178 | System hardening through configuration management | Preventive | |
| Configure the "Set PNRP cloud to resolve only" setting for "IPv6 Site Local" to organizational standards. CC ID 11180 | System hardening through configuration management | Preventive | |
| Configure the "Set the Email IDs to which notifications are to be sent" setting to organizational standards. CC ID 11184 | System hardening through configuration management | Preventive | |
| Configure the "Set the map update interval for NIS subordinate servers" setting to organizational standards. CC ID 11186 | System hardening through configuration management | Preventive | |
| Configure the "Set the Seed Server" setting for "IPv6 Global" to organizational standards. CC ID 11189 | System hardening through configuration management | Preventive | |
| Configure the "Set the Seed Server" setting for "IPv6 Site Local" to organizational standards. CC ID 11191 | System hardening through configuration management | Preventive | |
| Configure the "Set the SMTP Server used to send notifications" setting to organizational standards. CC ID 11192 | System hardening through configuration management | Preventive | |
| Configure the "Set timer resolution" setting to organizational standards. CC ID 11196 | System hardening through configuration management | Preventive | |
| Configure the "Sets how often a DFS Client discovers DC's" setting to organizational standards. CC ID 11199 | System hardening through configuration management | Preventive | |
| Configure the "Short name creation options" setting to organizational standards. CC ID 11200 | System hardening through configuration management | Preventive | |
| Configure the "Site Name" setting to organizational standards. CC ID 11201 | System hardening through configuration management | Preventive | |
| Configure the "Specify a default color" setting to organizational standards. CC ID 11208 | System hardening through configuration management | Preventive | |
| Configure the "Specify idle Timeout" setting to organizational standards. CC ID 11210 | System hardening through configuration management | Preventive | |
| Configure the "Specify maximum amount of memory in MB per Shell" setting to organizational standards. CC ID 11211 | System hardening through configuration management | Preventive | |
| Configure the "Specify maximum number of processes per Shell" setting to organizational standards. CC ID 11212 | System hardening through configuration management | Preventive | |
| Configure the "Specify Shell Timeout" setting to organizational standards. CC ID 11216 | System hardening through configuration management | Preventive | |
| Configure the "Specify Windows installation file location" setting to organizational standards. CC ID 11225 | System hardening through configuration management | Preventive | |
| Configure the "Specify Windows Service Pack installation file location" setting to organizational standards. CC ID 11226 | System hardening through configuration management | Preventive | |
| Configure the "SSL Cipher Suite Order" setting to organizational standards. CC ID 11227 | System hardening through configuration management | Preventive | |
| Configure the "Switch to the Simplified Chinese (PRC) gestures" setting to organizational standards. CC ID 11230 | System hardening through configuration management | Preventive | |
| Configure the "Sysvol share compatibility" setting to organizational standards. CC ID 11231 | System hardening through configuration management | Preventive | |
| Configure the "Tag Windows Customer Experience Improvement data with Study Identifier" setting to organizational standards. CC ID 11232 | System hardening through configuration management | Preventive | |
| Configure the "Teredo Client Port" setting to organizational standards. CC ID 11236 | System hardening through configuration management | Preventive | |
| Configure the "Teredo Default Qualified" setting to organizational standards. CC ID 11237 | System hardening through configuration management | Preventive | |
| Configure the "Teredo Refresh Rate" setting to organizational standards. CC ID 11238 | System hardening through configuration management | Preventive | |
| Configure the "Teredo Server Name" setting to organizational standards. CC ID 11239 | System hardening through configuration management | Preventive | |
| Configure the "Teredo State" setting to organizational standards. CC ID 11240 | System hardening through configuration management | Preventive | |
| Configure the "Time (in seconds) to force reboot" setting to organizational standards. CC ID 11242 | System hardening through configuration management | Preventive | |
| Configure the "Time (in seconds) to force reboot when required for policy changes to take effect" setting to organizational standards. CC ID 11243 | System hardening through configuration management | Preventive | |
| Configure the "Timeout for fast user switching events" setting to organizational standards. CC ID 11244 | System hardening through configuration management | Preventive | |
| Configure the "Traps for public community" setting to organizational standards. CC ID 11246 | System hardening through configuration management | Preventive | |
| Configure the "Trusted Hosts" setting to organizational standards. CC ID 11249 | System hardening through configuration management | Preventive | |
| Configure the "Try Next Closest Site" setting to organizational standards. CC ID 11250 | System hardening through configuration management | Preventive | |
| Configure the "TTL Set in the A and PTR records" setting to organizational standards. CC ID 11251 | System hardening through configuration management | Preventive | |
| Configure the "Turn on Accounting for WSRM" setting to organizational standards. CC ID 11333 | System hardening through configuration management | Preventive | |
| Configure the "Turn on BranchCache" setting to organizational standards. CC ID 11334 | System hardening through configuration management | Preventive | |
| Configure the "Turn on certificate propagation from smart card" setting to organizational standards. CC ID 11335 | System hardening through configuration management | Preventive | |
| Configure the "Turn On Compatibility HTTP Listener" setting to organizational standards. CC ID 11336 | System hardening through configuration management | Preventive | |
| Configure the "Turn On Compatibility HTTPS Listener" setting to organizational standards. CC ID 11337 | System hardening through configuration management | Preventive | |
| Configure the "Turn on definition updates through both WSUS and the Microsoft Malware Protection Center" setting to organizational standards. CC ID 11338 | System hardening through configuration management | Preventive | |
| Configure the "Turn on definition updates through both WSUS and Windows Update" setting to organizational standards. CC ID 11339 | System hardening through configuration management | Preventive | |
| Configure the "Turn on economical application of administratively assigned Offline Files" setting to organizational standards. CC ID 11342 | System hardening through configuration management | Preventive | |
| Configure the "Turn on Mapper I/O (LLTDIO) driver" setting to organizational standards. CC ID 11346 | System hardening through configuration management | Preventive | |
| Configure the "Turn on recommended updates via Automatic Updates" setting to organizational standards. CC ID 11347 | System hardening through configuration management | Preventive | |
| Configure the "Turn on root certificate propagation from smart card" setting to organizational standards. CC ID 11349 | System hardening through configuration management | Preventive | |
| Configure the "Turn on Software Notifications" setting to organizational standards. CC ID 11352 | System hardening through configuration management | Preventive | |
| Configure the "Turn on TPM backup to Active Directory Domain Services" setting to organizational standards. CC ID 11356 | System hardening through configuration management | Preventive | |
| Configure the "Use forest search order" setting for "Key Distribution Center (KDC) searches" to organizational standards. CC ID 11359 | System hardening through configuration management | Preventive | |
| Configure the "Use forest search order" setting for "Kerberos client searches" to organizational standards. CC ID 11360 | System hardening through configuration management | Preventive | |
| Configure the "Use IP Address Redirection" setting to organizational standards. CC ID 11361 | System hardening through configuration management | Preventive | |
| Configure the "Use localized subfolder names when redirecting Start Menu and My Documents" setting to organizational standards. CC ID 11362 | System hardening through configuration management | Preventive | |
| Configure the "Use mandatory profiles on the RD Session Host server" setting to organizational standards. CC ID 11363 | System hardening through configuration management | Preventive | |
| Configure the "Verbose vs normal status messages" setting to organizational standards. CC ID 11368 | System hardening through configuration management | Preventive | |
| Configure the "Verify old and new Folder Redirection targets point to the same share before redirecting" setting to organizational standards. CC ID 11369 | System hardening through configuration management | Preventive | |
| Configure the "Windows Scaling Heuristics State" setting to organizational standards. CC ID 11372 | System hardening through configuration management | Preventive | |
| Configure the "Obtain Software Package Updates with apt-get" setting to organizational standards. CC ID 11375 | System hardening through configuration management | Preventive | |
| Configure the "display a banner before authentication" setting for "LightDM" to organizational standards. CC ID 11385 | System hardening through configuration management | Preventive | |
| Configure the "shadow" group to organizational standards. CC ID 11386 | System hardening through configuration management | Preventive | |
| Configure the "AppArmor" setting to organizational standards. CC ID 11387 | System hardening through configuration management | Preventive | |
| Configure the system account settings and the permission settings in accordance with the organizational standards. CC ID 01538 | System hardening through configuration management | Preventive | |
| Configure user accounts. CC ID 07036 | System hardening through configuration management | Preventive | |
| Remove unnecessary default accounts. CC ID 01539 [Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network. 2.1] | System hardening through configuration management | Preventive | |
| Disable or delete shared User IDs. CC ID 12478 | System hardening through configuration management | Corrective | |
| Verify that no UID 0 accounts exist other than root. CC ID 01585 | System hardening through configuration management | Detective | |
| Disable or delete generic user IDs. CC ID 12479 | System hardening through configuration management | Corrective | |
| Disable all unnecessary user identifiers. CC ID 02185 [Do not use group, shared, or generic IDs, passwords, or other authentication methods as follows: - Generic user IDs are disabled or removed. - Shared user IDs do not exist for system administration and other critical functions. - Shared and generic user IDs are not used to administer any system components. 8.5] | System hardening through configuration management | Preventive | |
| Remove unnecessary user credentials. CC ID 16409 | System hardening through configuration management | Preventive | |
| Remove the root user as appropriate. CC ID 01582 | System hardening through configuration management | Preventive | |
| Disable or remove the null account. CC ID 06572 | System hardening through configuration management | Preventive | |
| Configure accounts with administrative privilege. CC ID 07033 | System hardening through configuration management | Preventive | |
| Encrypt non-console administrative access. CC ID 00883 [Encrypt all non-console administrative access using strong cryptography. 2.3] | System hardening through configuration management | Preventive | |
| Configure the time server in accordance with organizational standards. CC ID 06426 | System hardening through configuration management | Preventive | |
| Configure the time server to synchronize with specifically designated hosts. CC ID 06427 [Configure the time servers to ensure Time settings are received from industry-accepted time sources. 10.4.3] | System hardening through configuration management | Preventive | |
| Restrict access to time server configuration to personnel with a business need. CC ID 06858 [Restrict access to time server configurations to ensure Time data is protected. 10.4.2] | System hardening through configuration management | Preventive | |
| Configure Account settings in accordance with organizational standards. CC ID 07603 | System hardening through configuration management | Preventive | |
| Configure the "Account lockout threshold" to organizational standards. CC ID 07604 [{configure} {account lockout threshold} Limit repeated access attempts by locking out the user ID after not more than six attempts. 8.1.6] | System hardening through configuration management | Preventive | |
| Configure the "Account lockout duration" to organizational standards. CC ID 07771 [Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID. 8.1.7] | System hardening through configuration management | Preventive | |
| Configure Logging settings in accordance with organizational standards. CC ID 07611 | System hardening through configuration management | Preventive | |
| Configure the security parameters for all logs. CC ID 01712 | System hardening through configuration management | Preventive | |
| Configure the detailed data elements to be captured for all logs so that events are identified by type, location, subject, user, what data was accessed, etc. CC ID 06331 | System hardening through configuration management | Preventive | |
| Configure the log to capture the user's identification. CC ID 01334 [Configure the audit log to capture the following event for all system components: User identification 10.3.1] | System hardening through configuration management | Preventive | |
| Configure the log to capture a date and time stamp. CC ID 01336 [Configure the audit log to capture the following event for all system components: Date and time 10.3.3] | System hardening through configuration management | Preventive | |
| Configure the log to uniquely identify each asset. CC ID 01339 [Configure the audit log to capture the following event for all system components: Identity or name of affected data, system component, or resource. 10.3.6] | System hardening through configuration management | Preventive | |
| Configure the log to capture the type of each event. CC ID 06423 [Configure the audit log to capture the following event for all system components: Type of event 10.3.2] | System hardening through configuration management | Preventive | |
| Configure the log to capture each event's success or failure indication. CC ID 06424 [Configure the audit log to capture the following event for all system components: Success or failure indication 10.3.4] | System hardening through configuration management | Preventive | |
| Configure all logs to capture auditable events or actionable events. CC ID 06332 | System hardening through configuration management | Preventive | |
| Configure the log to capture configuration changes. CC ID 06881 | System hardening through configuration management | Preventive | |
| Configure Key, Certificate, Password, Authentication and Identity Management settings in accordance with organizational standards. CC ID 07621 | System hardening through configuration management | Preventive | |
| Configure the "Maximum password age" to organizational standards. CC ID 07688 [{maximum password age} Change user passwords/passphrases at least once every 90 days. 8.2.4] | System hardening through configuration management | Preventive | |
| Configure the "Minimum password length" to organizational standards. CC ID 07711 [{passphrase} {complexity} {configure} Passwords/phrases must meet the following: - Require a minimum length of at least seven characters. - Contain both numeric and alphabetic characters. 8.2.3] | System hardening through configuration management | Preventive | |
| Configure the "Password must meet complexity requirements" to organizational standards. CC ID 07743 [{passphrase} {complexity} {configure} Passwords/phrases must meet the following: - Require a minimum length of at least seven characters. - Contain both numeric and alphabetic characters. 8.2.3] | System hardening through configuration management | Preventive | |
| Configure the "Enforce password history" to organizational standards. CC ID 07877 [{passphrase} {configure} {password history} Do not allow an individual to submit a new password/phrase that is the same as any of the last four passwords/phrases he or she has used. 8.2.5] | System hardening through configuration management | Preventive | |
| Configure security and protection software according to Organizational Standards. CC ID 11917 | System hardening through configuration management | Preventive | |
| Configure security and protection software to automatically run at startup. CC ID 12443 [Ensure that anti-virus mechanisms are actively verb">running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period. 5.3] | System hardening through configuration management | Preventive | |
| Configure security and protection software to enable automatic updates. CC ID 11945 [Protect all systems against malware and regularly update anti-virus software or programs. Requirement 5] | System hardening through configuration management | Preventive | |
| Configure File Integrity Monitoring Software to Organizational Standards. CC ID 11923 | System hardening through configuration management | Preventive | |
| Configure the file integrity monitoring software to perform critical file comparisons, as necessary. CC ID 11924 [Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly. 11.5] | System hardening through configuration management | Preventive | |
| Nest elements appropriately in website content using markup languages. CC ID 15154 | Systems design, build, and implementation | Preventive | |
| Use valid HTML or other markup languages. CC ID 15153 | Systems design, build, and implementation | Preventive | |
| Ensure users can navigate content. CC ID 15163 | Systems design, build, and implementation | Preventive | |
| Create text content using language that is readable and is understandable. CC ID 15167 | Systems design, build, and implementation | Preventive | |
| Ensure user interface components are operable. CC ID 15162 | Systems design, build, and implementation | Preventive | |
| Implement mechanisms to review, confirm, and correct user submissions. CC ID 15160 | Systems design, build, and implementation | Preventive | |
| Allow users to reverse submissions. CC ID 15168 | Systems design, build, and implementation | Preventive | |
| Provide a mechanism to control audio. CC ID 15158 | Systems design, build, and implementation | Preventive | |
| Allow modification of style properties without loss of content or functionality. CC ID 15156 | Systems design, build, and implementation | Preventive | |
| Programmatically determine the name and role of user interface components. CC ID 15148 | Systems design, build, and implementation | Preventive | |
| Programmatically determine the language of content. CC ID 15137 | Systems design, build, and implementation | Preventive | |
| Provide a mechanism to dismiss content triggered by mouseover or keyboard focus. CC ID 15164 | Systems design, build, and implementation | Preventive | |
| Configure repeated navigational mechanisms to occur in the same order unless overridden by the user. CC ID 15166 | Systems design, build, and implementation | Preventive | |
| Refrain from activating a change of context when changing the setting of user interface components, as necessary. CC ID 15165 | Systems design, build, and implementation | Preventive | |
| Provide users a mechanism to remap keyboard shortcuts. CC ID 15133 | Systems design, build, and implementation | Preventive | |
| Provide captions for live audio content. CC ID 15120 | Systems design, build, and implementation | Preventive | |
| Programmatically determine the purpose of each data field that collects information from the user. CC ID 15114 | Systems design, build, and implementation | Preventive | |
| Provide labels or instructions when content requires user input. CC ID 15077 | Systems design, build, and implementation | Preventive | |
| Allow users to control auto-updating information, as necessary. CC ID 15159 | Systems design, build, and implementation | Preventive | |
| Use headings on all web pages and labels in all content that describes the topic or purpose. CC ID 15070 | Systems design, build, and implementation | Preventive | |
| Display website content triggered by mouseover or keyboard focus. CC ID 15152 | Systems design, build, and implementation | Preventive | |
| Ensure the purpose of links can be determined through the link text. CC ID 15157 | Systems design, build, and implementation | Preventive | |
| Use a unique title that describes the topic or purpose for each web page. CC ID 15069 | Systems design, build, and implementation | Preventive | |
| Allow the use of time limits, as necessary. CC ID 15155 | Systems design, build, and implementation | Preventive | |
| Refrain from activating a change of context in a user interface component. CC ID 15115 | Systems design, build, and implementation | Preventive | |
| Configure software development tools in accordance with organizational standards. CC ID 16387 | Systems design, build, and implementation | Preventive | |
| Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 [Do not store the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card used to verify card-not-present transactions) after authorization. 3.2.2 Do not store sensitive authentication data after authorization (even if encrypted). If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process. 3.2 Do not store the personal identification number (PIN) or the encrypted PIN block after authorization. 3.2.3] | Privacy protection for information and data | Preventive | |
Data and Information Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include the system components that generate audit records in the event logging procedures. CC ID 16426 | Monitoring and measurement | Preventive | |
| Overwrite the oldest records when audit logging fails. CC ID 14308 | Monitoring and measurement | Preventive | |
| Establish and maintain contact information for user accounts, as necessary. CC ID 15418 | Technical security | Preventive | |
| Enforce access restrictions for restricted data. CC ID 01921 | Technical security | Preventive | |
| Include the date and time that access was reviewed in the system record. CC ID 16416 | Technical security | Preventive | |
| Disseminate and communicate user identifiers and authenticators using secure communication protocols. CC ID 06791 | Technical security | Preventive | |
| Restrict inbound network traffic into the Demilitarized Zone. CC ID 01285 [{inbound Internet traffic} Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports. 1.3.1] | Technical security | Preventive | |
| Segregate applications and databases that contain restricted data or restricted information in an internal network zone. CC ID 01289 [Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks. 1.3.7] | Technical security | Preventive | |
| Protect data stored at external locations. CC ID 16333 | Technical security | Preventive | |
| Restrict outbound network traffic from systems that contain restricted data or restricted information. CC ID 01295 [{direct inbound connection} {direct outbound connection} Do not allow any direct connections inbound or outbound for traffic between the Internet and the cardholder data environment. 1.3.3 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet. 1.3.5] | Technical security | Preventive | |
| Deny direct Internet access to databases that store restricted data or restricted information. CC ID 01271 | Technical security | Preventive | |
| Constrain the information flow of restricted data or restricted information. CC ID 06763 | Technical security | Preventive | |
| Restrict access to restricted data and restricted information on a need to know basis. CC ID 12453 [Restrict access to cardholder data by business need to know Requirement 7] | Technical security | Preventive | |
| Encrypt in scope data or in scope information, as necessary. CC ID 04824 | Technical security | Preventive | |
| Digitally sign records and data, as necessary. CC ID 16507 | Technical security | Preventive | |
| Decrypt restricted data for the minimum time required. CC ID 12308 | Technical security | Preventive | |
| Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309 | Technical security | Preventive | |
| Establish, implement, and maintain cryptographic key creation domain parameter requirements. CC ID 06575 | Technical security | Preventive | |
| Protect salt values and hash values in accordance with organizational standards. CC ID 16471 | Technical security | Preventive | |
| Recover encrypted data for lost cryptographic keys, compromised cryptographic keys, or damaged cryptographic keys. CC ID 01301 | Technical security | Preventive | |
| Generate strong cryptographic keys. CC ID 01299 [{generate} Include in the cryptographic key management procedures Generation of strong cryptographic keys. 3.6.1] | Technical security | Preventive | |
| Use approved random number generators for creating cryptographic keys. CC ID 06574 | Technical security | Preventive | |
| Disseminate and communicate cryptographic keys securely. CC ID 01300 [Include in the cryptographic key management procedures Secure cryptographic key distribution. 3.6.2] | Technical security | Preventive | |
| Control the input and output of cryptographic keys from a cryptographic module. CC ID 06541 | Technical security | Preventive | |
| Store cryptographic keys securely. CC ID 01298 [Include in the cryptographic key management procedures Secure cryptographic key storage. 3.6.3 Store cryptographic keys in the fewest possible locations. 3.5.3 {secret key} Store secret and private keys used to encrypt/decrypt cardholder data in one (or more) of the following forms at all times: - Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data-encrypting key - Within a secure cryptographic device (such as a hardware (host) security module (HSM) or PTS-approved point-of-interaction device) - As at least two full-length key components or key shares, in accordance with an industry-accepted method. 3.5.2 {secret key} Store secret and private keys used to encrypt/decrypt cardholder data in one (or more) of the following forms at all times: - Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data-encrypting key - Within a secure cryptographic device (such as a hardware (host) security module (HSM) or PTS-approved point-of-interaction device) - As at least two full-length key components or key shares, in accordance with an industry-accepted method. 3.5.2] | Technical security | Preventive | |
| Restrict access to cryptographic keys. CC ID 01297 [Restrict access to cryptographic keys to the fewest number of custodians necessary. 3.5.1] | Technical security | Preventive | |
| Store cryptographic keys in encrypted format. CC ID 06084 [{secret key} Store secret and private keys used to encrypt/decrypt cardholder data in one (or more) of the following forms at all times: - Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data-encrypting key - Within a secure cryptographic device (such as a hardware (host) security module (HSM) or PTS-approved point-of-interaction device) - As at least two full-length key components or key shares, in accordance with an industry-accepted method. 3.5.2] | Technical security | Preventive | |
| Change cryptographic keys in accordance with organizational standards. CC ID 01302 [Include in the cryptographic key management procedures Cryptographic key changes for keys that have reached the end of their cryptoperiod (for example, after a defined period of time has passed and/or after a certain amount of cipher-text has been produced by a given key), as defined by the associated application vendor or key owner, and based on industry best practices and guidelines (for example, NIST Special Publication 800-57). 3.6.4] | Technical security | Preventive | |
| Destroy cryptographic keys promptly after the retention period. CC ID 01303 | Technical security | Preventive | |
| Control cryptographic keys with split knowledge and dual control. CC ID 01304 [Include in the cryptographic key management procedures If manual clear-text cryptographic key-management operations are used, these operations must be managed using split knowledge and dual control. 3.6.6] | Technical security | Preventive | |
| Prevent the unauthorized substitution of cryptographic keys. CC ID 01305 [{prevent} Include in the cryptographic key management procedures Prevention of unauthorized substitution of cryptographic keys. 3.6.7] | Technical security | Preventive | |
| Revoke old cryptographic keys or invalid cryptographic keys immediately. CC ID 01307 [{cryptographic key} Include in the cryptographic key management procedures Retirement or replacement (for example, archiving, destruction, and/or revocation) of keys as deemed necessary when the integrity of the key has been weakened (for example, departure of an employee with knowledge of a clear-text key component), or keys are suspected of being compromised. 3.6.5] | Technical security | Corrective | |
| Replace known or suspected compromised cryptographic keys immediately. CC ID 01306 [{cryptographic key} Include in the cryptographic key management procedures Retirement or replacement (for example, archiving, destruction, and/or revocation) of keys as deemed necessary when the integrity of the key has been weakened (for example, departure of an employee with knowledge of a clear-text key component), or keys are suspected of being compromised. 3.6.5] | Technical security | Corrective | |
| Archive outdated cryptographic keys. CC ID 06884 | Technical security | Preventive | |
| Archive revoked cryptographic keys. CC ID 11819 | Technical security | Preventive | |
| Manage the digital signature cryptographic key pair. CC ID 06576 | Technical security | Preventive | |
| Track restricted storage media while it is in transit. CC ID 00967 | Physical and environmental protection | Detective | |
| Establish, implement, and maintain removable storage media controls. CC ID 06680 | Physical and environmental protection | Preventive | |
| Control access to restricted storage media. CC ID 04889 [Maintain strict control over the storage and accessibility of media. 9.7 {file-level encryption} {authentication mechanism} If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed separately and independently of native operating system authentication and access control mechanisms (for example, by not using local user account databases or general network login credentials). Decryption keys must not be associated with user accounts. 3.4.1] | Physical and environmental protection | Preventive | |
| Encrypt information stored on devices in publicly accessible areas. CC ID 16410 | Physical and environmental protection | Preventive | |
| Wipe information from mobile devices after a predetermined number of unsuccessful logon attempts. CC ID 14242 | Physical and environmental protection | Preventive | |
| Encrypt information stored on mobile devices. CC ID 01422 | Physical and environmental protection | Preventive | |
| Store backup media at an off-site electronic media storage facility. CC ID 01332 [{alternate site} Store media backups in a secure location, preferably an off-site facility, such as an alternate or backup site, or a commercial storage facility. Review the location’s security at least annually. 9.5.1] | Operational and Systems Continuity | Preventive | |
| Transport backup media in lockable electronic media storage containers. CC ID 01264 | Operational and Systems Continuity | Preventive | |
| Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Operational management | Preventive | |
| Identify the sender in all electronic messages. CC ID 13996 | Operational management | Preventive | |
| Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289 | Operational management | Preventive | |
| Record a unique name for each asset in the asset inventory. CC ID 16305 | Operational management | Preventive | |
| Record the status of information systems in the asset inventory. CC ID 16304 | Operational management | Preventive | |
| Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301 | Operational management | Preventive | |
| Record software license information for each asset in the asset inventory. CC ID 11736 | Operational management | Preventive | |
| Record the operating system version for applicable assets in the asset inventory. CC ID 11748 | Operational management | Preventive | |
| Record rooms at external locations in the asset inventory. CC ID 16302 | Operational management | Preventive | |
| Record trusted keys and certificates in the asset inventory. CC ID 15486 | Operational management | Preventive | |
| Record cipher suites and protocols in the asset inventory. CC ID 15489 | Operational management | Preventive | |
| Approve tested change requests. CC ID 11783 [{approve} Change control procedures related to the implementation of security patches and software modifications must include Documented change approval by authorized parties. 6.4.5.2] | Operational management | Preventive | |
| Disable the use of removable storage media for systems that process restricted data or restricted information, as necessary. CC ID 06681 | System hardening through configuration management | Preventive | |
| Use a second person to confirm and sign-off that manually deleted data was deleted. CC ID 12313 | Records management | Preventive | |
| Protect confidential information during the system development life cycle program. CC ID 13479 | Systems design, build, and implementation | Preventive | |
| Prevent unnecessary information from being added to client-side scripting languages. CC ID 07073 | Systems design, build, and implementation | Preventive | |
| Transmit source code securely. CC ID 06397 | Systems design, build, and implementation | Preventive | |
| Display or print the least amount of personal data necessary. CC ID 04643 [Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see the full PAN. 3.3] | Privacy protection for information and data | Preventive | |
| Redact confidential information from public information, as necessary. CC ID 06872 | Privacy protection for information and data | Preventive | |
| Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 [{primary account number} Never send unprotected PANs by end-user messaging technologies (for example, e-mail, instant messaging, SMS, chat, etc.). 4.2] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 | Privacy protection for information and data | Preventive | |
| Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 [Ensure that each entity only runs processes that have access to that entity’s cardholder data environment. A.1.1] | Third Party and supply chain oversight | Detective | |
| Make the conflict minerals policy Publicly Available Information. CC ID 08949 | Third Party and supply chain oversight | Preventive | |
Establish Roles | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Define and assign log management roles and responsibilities. CC ID 06311 | Monitoring and measurement | Preventive | |
| Assign penetration testing to a qualified internal resource or external third party. CC ID 06429 | Monitoring and measurement | Preventive | |
| Assign ownership of the vulnerability management program to the appropriate role. CC ID 15723 | Monitoring and measurement | Preventive | |
| Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 | Technical security | Preventive | |
| Use biometric authentication for identification and authentication, as necessary. CC ID 06857 [In addition to assigning a unique ID, ensure proper user-authentication management for non-consumer users and administrators on all system components by employing at least one of the following methods to authenticate all users: - Something you know, such as a password or passphrase - Something you have, such as a token device or smart card - Something you are, such as a biometric. 8.2] | Technical security | Preventive | |
| Include assigned roles and responsibilities in the network access control standard. CC ID 06410 [Include in the firewall and router configuration standard a Description of groups, roles, and responsibilities for management of network components. 1.1.5] | Technical security | Preventive | |
| Establish a Registration Authority to support the Public Key Infrastructure. CC ID 15725 | Technical security | Preventive | |
| Define and assign roles and responsibilities for malicious code protection. CC ID 15474 | Technical security | Preventive | |
| Employ security guards to provide physical security, as necessary. CC ID 06653 | Physical and environmental protection | Preventive | |
| Assign roles and responsibilities for the issuance of payment cards. CC ID 16134 | Physical and environmental protection | Preventive | |
| Establish and maintain the staff structure in line with the strategic plan. CC ID 00764 | Human Resources management | Preventive | |
| Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 | Operational management | Preventive | |
| Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 | Operational management | Preventive | |
| Assign ownership of the information security program to the appropriate role. CC ID 00814 | Operational management | Preventive | |
| Classify assets according to the Asset Classification Policy. CC ID 07186 [Classify media so the sensitivity of the data can be determined. 9.6.1] | Operational management | Preventive | |
| Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. CC ID 07184 | Operational management | Preventive | |
| Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 [{incident response team member} Designate specific personnel to be available on a 24/7 basis to respond to alerts. 12.10.3 Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum: - Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum - Specific incident response procedures - Business recovery and continuity procedures - Data backup processes - Analysis of legal requirements for reporting compromises - Coverage and responses of all critical system components - Reference or inclusion of incident response procedures from the payment brands. 12.10.1] | Operational management | Preventive | |
| Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 | Operational management | Preventive | |
| Include the head of information security's roles and responsibilities in the Incident Response program. CC ID 01878 | Operational management | Preventive | |
| Include the customer database owner's roles and responsibilities in the Incident Response program. CC ID 01879 | Operational management | Preventive | |
| Include the online sales department's roles and responsibilities in the Incident Response program. CC ID 01880 | Operational management | Preventive | |
| Include the incident response point of contact for credit card payment system's roles and responsibilities in the Incident Response program. CC ID 01881 | Operational management | Preventive | |
| Include the organizational legal counsel's roles and responsibilities in the Incident Response program. CC ID 01882 | Operational management | Preventive | |
| Include the Human Resources point of contact's roles and responsibilities in the Incident Response program. CC ID 01883 | Operational management | Preventive | |
| Include the organizational incident response network architecture point of contact's roles and responsibilities in the Incident Response program. CC ID 01884 | Operational management | Preventive | |
| Include the organizational incident response public relations point of contact's roles and responsibilities in the Incident Response program. CC ID 01885 | Operational management | Preventive | |
| Include the organizational incident response location manager's roles and responsibilities in the Incident Response program. CC ID 01886 | Operational management | Preventive | |
| Assign the review of custom code changes to individuals other than the code author. CC ID 06291 [{assign}{correct} Review custom code prior to release to production or customers in order to identify any potential coding vulnerability (using either manual or automated processes) to include at least the following: - Code changes are reviewed by individuals other than the originating code author, and by individuals knowledgeable about code-review techniques and secure coding practices. - Code reviews ensure code is developed according to secure coding guidelines - Appropriate corrections are implemented prior to release. - Code-review results are reviewed and approved by management prior to release. 6.3.2] | Systems design, build, and implementation | Preventive | |
| Include the responsible party for managing complaints in third party contracts. CC ID 10022 | Third Party and supply chain oversight | Preventive | |
Establish/Maintain Documentation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain an audit and accountability policy. CC ID 14035 | Monitoring and measurement | Preventive | |
| Include compliance requirements in the audit and accountability policy. CC ID 14103 | Monitoring and measurement | Preventive | |
| Include coordination amongst entities in the audit and accountability policy. CC ID 14102 | Monitoring and measurement | Preventive | |
| Include the purpose in the audit and accountability policy. CC ID 14100 | Monitoring and measurement | Preventive | |
| Include roles and responsibilities in the audit and accountability policy. CC ID 14098 | Monitoring and measurement | Preventive | |
| Include management commitment in the audit and accountability policy. CC ID 14097 | Monitoring and measurement | Preventive | |
| Include the scope in the audit and accountability policy. CC ID 14096 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain audit and accountability procedures. CC ID 14057 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an intrusion detection and prevention program. CC ID 15211 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an intrusion detection and prevention policy. CC ID 15169 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an event logging policy. CC ID 15217 | Monitoring and measurement | Preventive | |
| Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774 | Monitoring and measurement | Corrective | |
| Include identity information of suspects in the suspicious activity report. CC ID 16648 | Monitoring and measurement | Preventive | |
| Review and update the list of auditable events in the event logging procedures. CC ID 10097 | Monitoring and measurement | Preventive | |
| Report a data loss event when non-truncated payment card numbers are outputted. CC ID 04741 | Monitoring and measurement | Corrective | |
| Establish, implement, and maintain a continuous monitoring program for configuration management. CC ID 06757 | Monitoring and measurement | Detective | |
| Include a change history and identify who made the changes in the file integrity monitoring report. CC ID 12091 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a risk monitoring program. CC ID 00658 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a security assessment and authorization policy. CC ID 14031 | Monitoring and measurement | Preventive | |
| Establish and maintain a scoring method for Red Team exercise results. CC ID 12136 | Monitoring and measurement | Preventive | |
| Include coordination amongst entities in the security assessment and authorization policy. CC ID 14222 | Monitoring and measurement | Preventive | |
| Include the scope in the security assessment and authorization policy. CC ID 14220 | Monitoring and measurement | Preventive | |
| Include the purpose in the security assessment and authorization policy. CC ID 14219 | Monitoring and measurement | Preventive | |
| Include management commitment in the security assessment and authorization policy. CC ID 14189 | Monitoring and measurement | Preventive | |
| Include compliance requirements in the security assessment and authorization policy. CC ID 14183 | Monitoring and measurement | Preventive | |
| Include roles and responsibilities in the security assessment and authorization policy. CC ID 14179 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain security assessment and authorization procedures. CC ID 14056 | Monitoring and measurement | Preventive | |
| Document improvement actions based on test results and exercises. CC ID 16840 | Monitoring and measurement | Preventive | |
| Define the test requirements for each testing program. CC ID 13177 | Monitoring and measurement | Preventive | |
| Include mechanisms for emergency stops in the testing program. CC ID 14398 | Monitoring and measurement | Preventive | |
| Document the business need justification for authorized wireless access points. CC ID 12044 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain conformity assessment procedures. CC ID 15032 | Monitoring and measurement | Preventive | |
| Create technical documentation assessment certificates in an official language. CC ID 15110 | Monitoring and measurement | Preventive | |
| Define the test frequency for each testing program. CC ID 13176 | Monitoring and measurement | Preventive | |
| Compare port scan reports for in scope systems against their port scan baseline. CC ID 12162 | Monitoring and measurement | Detective | |
| Establish, implement, and maintain a stress test program for identification cards or badges. CC ID 15424 | Monitoring and measurement | Preventive | |
| Align the penetration test program with industry standards. CC ID 12469 [Implement a methodology for penetration testing that includes the following: - Is based on BC;" class="term_primary-noun">industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes testing to validate any segmentation and scope-reduction controls - Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 - Defines network-layer penetration tests to include components that support network functions as well as operating systems - Includes review and consideration of threats and vulnerabilities experienced in the last 12 months - Specifies retention of penetration testing results and remediation activities results. 11.3] | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a business line testing strategy. CC ID 13245 | Monitoring and measurement | Preventive | |
| Include facilities in the business line testing strategy. CC ID 13253 | Monitoring and measurement | Preventive | |
| Include electrical systems in the business line testing strategy. CC ID 13251 | Monitoring and measurement | Preventive | |
| Include mechanical systems in the business line testing strategy. CC ID 13250 | Monitoring and measurement | Preventive | |
| Include Heating Ventilation and Air Conditioning systems in the business line testing strategy. CC ID 13248 | Monitoring and measurement | Preventive | |
| Include emergency power supplies in the business line testing strategy. CC ID 13247 | Monitoring and measurement | Preventive | |
| Include environmental controls in the business line testing strategy. CC ID 13246 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a vulnerability management program. CC ID 15721 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a vulnerability assessment program. CC ID 11636 | Monitoring and measurement | Preventive | |
| Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097 | Monitoring and measurement | Preventive | |
| Recommend mitigation techniques based on penetration test results. CC ID 04881 | Monitoring and measurement | Corrective | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 [{make known} Ensure that security policies and operational procedures for monitoring all access to network resources and cardholder data are documented, in use, and known to all affected parties. 10.8] | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a metrics policy. CC ID 01654 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain risk management metrics. CC ID 01656 | Monitoring and measurement | Preventive | |
| Identify and document instances of non-compliance with the compliance framework. CC ID 06499 | Monitoring and measurement | Preventive | |
| Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Monitoring and measurement | Preventive | |
| Include a copy of the order in the disciplinary action notice. CC ID 16606 | Monitoring and measurement | Preventive | |
| Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Monitoring and measurement | Preventive | |
| Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Monitoring and measurement | Preventive | |
| Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Monitoring and measurement | Preventive | |
| Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Monitoring and measurement | Preventive | |
| Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Monitoring and measurement | Preventive | |
| Include required information in the disciplinary action notice. CC ID 16584 | Monitoring and measurement | Preventive | |
| Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Monitoring and measurement | Preventive | |
| Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Monitoring and measurement | Preventive | |
| Include the investigation results in the disciplinary action notice. CC ID 16581 | Monitoring and measurement | Preventive | |
| Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Monitoring and measurement | Preventive | |
| Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Monitoring and measurement | Preventive | |
| Include contact information in the disciplinary action notice. CC ID 16578 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a security program metrics program. CC ID 01660 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a key management roles metrics standard. CC ID 11631 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a key stakeholder metrics program. CC ID 01661 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a supply chain member metrics program. CC ID 01662 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an audit metrics program. CC ID 01664 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an Information Security metrics program. CC ID 01665 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a metrics standard and template. CC ID 02157 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain occupational health and safety management metrics program. CC ID 15915 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a policies and controls metrics program. CC ID 01666 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a security roles and responsibilities metrics program. CC ID 01667 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a role-based information access metrics program. CC ID 01668 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an information risk threshold metrics program. CC ID 01694 | Monitoring and measurement | Preventive | |
| Monitor the supply chain for Information Assurance effectiveness. CC ID 02043 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a privacy metrics program. CC ID 15494 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an Electronic Health Records measurement metrics program. CC ID 06221 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a log management program. CC ID 00673 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a risk management program. CC ID 12051 | Audits and risk management | Preventive | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 | Audits and risk management | Preventive | |
| Establish, implement, and maintain risk assessment procedures. CC ID 06446 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 | Audits and risk management | Preventive | |
| Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 | Audits and risk management | Preventive | |
| Include physical assets in the scope of the risk assessment. CC ID 13075 | Audits and risk management | Preventive | |
| Include the results of the risk assessment in the risk assessment report. CC ID 06481 [Implement a risk-assessment process that: - Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.), - Identifies critical assets, threats, and vulnerabilities, and - Results in a formal, documented analysis of risk. 12.2] | Audits and risk management | Preventive | |
| Update the risk assessment upon discovery of a new threat. CC ID 00708 [Implement a risk-assessment process that: - Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.), - Identifies critical assets, threats, and vulnerabilities, and - Results in a formal, documented analysis of risk. 12.2] | Audits and risk management | Detective | |
| Update the risk assessment upon changes to the risk profile. CC ID 11627 | Audits and risk management | Detective | |
| Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 | Audits and risk management | Preventive | |
| Create a risk assessment report based on the risk assessment results. CC ID 15695 | Audits and risk management | Preventive | |
| Establish, implement, and maintain an access classification scheme. CC ID 00509 | Technical security | Preventive | |
| Include restricting access to confidential data or restricted information to a need to know basis in the access classification scheme. CC ID 00510 [Limit access to system components and cardholder data to only those individuals whose job requires such access. 7.1] | Technical security | Preventive | |
| Include business security requirements in the access classification scheme. CC ID 00002 | Technical security | Preventive | |
| Interpret and apply security requirements based upon the information classification of the system. CC ID 00003 | Technical security | Preventive | |
| Include third party access in the access classification scheme. CC ID 11786 [Restrict each entity’s access and privileges to its own cardholder data environment only. A.1.2] | Technical security | Preventive | |
| Establish, implement, and maintain an access control program. CC ID 11702 [{make known} Ensure that security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties. 7.3 Document and communicate authentication policies and procedures to all users including: - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials - Instructions not to reuse previously used passwords - Instructions to change passwords if there is any suspicion the password could be compromised. 8.4] | Technical security | Preventive | |
| Include instructions to change authenticators as often as necessary in the access control program. CC ID 11931 [Document and communicate authentication policies and procedures to all users including: - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials - Instructions not to reuse previously used passwords - Instructions to change passwords if there is any suspicion the password could be compromised. 8.4] | Technical security | Preventive | |
| Include guidance for how users should protect their authentication credentials in the access control program. CC ID 11929 [Document and communicate authentication policies and procedures to all users including: - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials - Instructions not to reuse previously used passwords - Instructions to change passwords if there is any suspicion the password could be compromised. 8.4] | Technical security | Preventive | |
| Include guidance on selecting authentication credentials in the access control program. CC ID 11928 [Document and communicate authentication policies and procedures to all users including: - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials - Instructions not to reuse previously used passwords - Instructions to change passwords if there is any suspicion the password could be compromised. 8.4] | Technical security | Preventive | |
| Establish, implement, and maintain access control policies. CC ID 00512 | Technical security | Preventive | |
| Include compliance requirements in the access control policy. CC ID 14006 | Technical security | Preventive | |
| Include coordination amongst entities in the access control policy. CC ID 14005 | Technical security | Preventive | |
| Include management commitment in the access control policy. CC ID 14004 | Technical security | Preventive | |
| Include roles and responsibilities in the access control policy. CC ID 14003 | Technical security | Preventive | |
| Include the scope in the access control policy. CC ID 14002 | Technical security | Preventive | |
| Include the purpose in the access control policy. CC ID 14001 | Technical security | Preventive | |
| Document the business need justification for user accounts. CC ID 15490 | Technical security | Preventive | |
| Establish, implement, and maintain an instant messaging and chat system usage policy. CC ID 11815 | Technical security | Preventive | |
| Disseminate and communicate the access control policies to all interested personnel and affected parties. CC ID 10061 | Technical security | Preventive | |
| Establish, implement, and maintain an access rights management plan. CC ID 00513 [{make known} Ensure that security policies and operational procedures for identification and authentication are documented, in use, and known to all affected parties. 8.8 Define access needs for each role, including: - System components and data resources that each role needs to access for their job function - Level of privilege required (for example, user, administrator, etc.) for accessing resources. 7.1.1 Define and implement policies and procedures to ensure proper user identification management for non-consumer users and administrators on all system components as follows: 8.1] | Technical security | Preventive | |
| Inventory all user accounts. CC ID 13732 | Technical security | Preventive | |
| Add all devices requiring access control to the Access Control List. CC ID 06264 | Technical security | Preventive | |
| Include the objects and users subject to access control in the security policy. CC ID 11836 | Technical security | Preventive | |
| Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 | Technical security | Preventive | |
| Accept and sign the system use agreement before data or system access is enabled. CC ID 06501 | Technical security | Preventive | |
| Document actions that can be performed on an information system absent identification and authentication of the user. CC ID 06771 | Technical security | Preventive | |
| Establish and maintain a Digital Rights Management program. CC ID 07093 | Technical security | Preventive | |
| Establish, implement, and maintain an authority for access authorization list. CC ID 06782 | Technical security | Preventive | |
| Establish, implement, and maintain a password policy. CC ID 16346 | Technical security | Preventive | |
| Disseminate and communicate the password policies and password procedures to all users who have access to restricted data or restricted information. CC ID 00518 | Technical security | Preventive | |
| Establish, implement, and maintain biometric collection procedures. CC ID 15419 | Technical security | Preventive | |
| Document the business need justification for authentication data storage. CC ID 06325 | Technical security | Preventive | |
| Establish, implement, and maintain access control procedures. CC ID 11663 | Technical security | Preventive | |
| Document approving and granting access in the access control log. CC ID 06786 | Technical security | Preventive | |
| Include the user identifiers of all personnel who are authorized to access a system in the system record. CC ID 15171 | Technical security | Preventive | |
| Include identity information of all personnel who are authorized to access a system in the system record. CC ID 16406 | Technical security | Preventive | |
| Include the date and time that access rights were changed in the system record. CC ID 16415 | Technical security | Preventive | |
| Establish, implement, and maintain an identification and authentication policy. CC ID 14033 | Technical security | Preventive | |
| Include the purpose in the identification and authentication policy. CC ID 14234 | Technical security | Preventive | |
| Include the scope in the identification and authentication policy. CC ID 14232 | Technical security | Preventive | |
| Include roles and responsibilities in the identification and authentication policy. CC ID 14230 | Technical security | Preventive | |
| Include management commitment in the identification and authentication policy. CC ID 14229 | Technical security | Preventive | |
| Include coordination amongst entities in the identification and authentication policy. CC ID 14227 | Technical security | Preventive | |
| Include compliance requirements in the identification and authentication policy. CC ID 14225 | Technical security | Preventive | |
| Establish, implement, and maintain identification and authentication procedures. CC ID 14053 | Technical security | Preventive | |
| Include instructions to refrain from using previously used authenticators in the access control program. CC ID 11930 [Document and communicate authentication policies and procedures to all users including: - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials - Instructions not to reuse previously used passwords - Instructions to change passwords if there is any suspicion the password could be compromised. 8.4] | Technical security | Preventive | |
| Establish and maintain a memorized secret list. CC ID 13791 | Technical security | Preventive | |
| Establish, implement, and maintain a Boundary Defense program. CC ID 00544 [Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment. 1.2] | Technical security | Preventive | |
| Establish, implement, and maintain a network access control standard. CC ID 00546 | Technical security | Preventive | |
| Include configuration management and rulesets in the network access control standard. CC ID 11845 [Establish and implement firewall and router configuration standards that include the following: 1.1] | Technical security | Preventive | |
| Secure the network access control standard against unauthorized changes. CC ID 11920 | Technical security | Preventive | |
| Include compensating controls implemented for insecure protocols in the firewall and router configuration standard. CC ID 11948 [Include in the firewall and router configuration standard Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure. 1.1.6 Implement additional security features for any required services, protocols, or daemons that are considered to und-color:#CBD0E5;" class="term_secondary-verb">be insecure—for example, use secured technologies such as SSH, S-FTP, TLS, or IPSec VPN to protect insecure services such as NetBIOS, file-sharing, Telnet, FTP, etc. 2.2.3] | Technical security | Preventive | |
| Include restricting inbound network traffic in the firewall and router configuration standard. CC ID 11960 [{inbound Internet traffic} {outbound network traffic} Include in the firewall and router configuration standard: Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic. 1.2.1] | Technical security | Preventive | |
| Include restricting outbound network traffic in the firewall and router configuration standard. CC ID 11961 [{inbound Internet traffic} {outbound network traffic} Include in the firewall and router configuration standard: Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic. 1.2.1] | Technical security | Preventive | |
| Include requirements for a firewall at each Internet connection and between any demilitarized zone and the internal network zone in the firewall and router configuration standard. CC ID 12435 [Include in the firewall and router configuration standard Requirements for a firewall at each Internet connection and between any F0BBBC;" class="term_primary-noun">demilitarized zonespan> (DMZ) and the internal network zone. 1.1.4] | Technical security | Preventive | |
| Include network diagrams that identify connections between all subnets and wireless networks in the firewall and router configuration standard. CC ID 12434 [Include in the firewall and router configuration standard Current network diagram that identifies all s="term_primary-noun">connections between the cardholder data environment and other networks, including any or:#CBD0E5;" class="term_secondary-verb">-noun">wireless networks. 1.1.2] | Technical security | Preventive | |
| Include network diagrams that identify storage or processing locations of all restricted data in the firewall and router configuration standard. CC ID 12426 [Include in the firewall and router configuration standard Current diagram that shows all cardholder data flows across systems and networks. 1.1.3] | Technical security | Preventive | |
| Include a protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 00537 | Technical security | Preventive | |
| Include approval of the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 12547 | Technical security | Preventive | |
| Include the use of protocols above and beyond common information service protocols in the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 00539 | Technical security | Preventive | |
| Include justifying the use of risky protocols in the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 01280 [Include in the firewall and router configuration standard Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure. 1.1.6] | Technical security | Preventive | |
| Document and implement security features for each identified insecure service, protocol, and port in the protocols, ports, applications, and services list. CC ID 12033 | Technical security | Preventive | |
| Identify the insecure services, protocols, and ports in the protocols, ports, applications, and services list in the firewall and router configuration. CC ID 12032 | Technical security | Preventive | |
| Record the configuration rules for network access and control points in the configuration management system. CC ID 12105 | Technical security | Preventive | |
| Record the duration of the business need associated with changes to the configuration rules for network access and control points in the configuration management system. CC ID 12107 | Technical security | Preventive | |
| Record each individual's name and business need associated with changes to the configuration rules for network access and control points in the configuration management system. CC ID 12106 | Technical security | Preventive | |
| Establish, implement, and maintain information flow control configuration standards. CC ID 01924 | Technical security | Preventive | |
| Document and approve requests to bypass multifactor authentication. CC ID 15464 | Technical security | Preventive | |
| Establish, implement, and maintain an encryption management and cryptographic controls policy. CC ID 04546 [{make known} Ensure that security policies and operational procedures for encrypting transmissions of cardholder data are documented, in use, and known to all affected parties. 4.3] | Technical security | Preventive | |
| Provide guidance to customers on how to securely transmit, store, and update cryptographic keys. CC ID 12040 | Technical security | Preventive | |
| Establish, implement, and maintain cryptographic key management procedures. CC ID 00571 [Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data, including the following: 3.6 Document and implement procedures to protect keys used to secure stored cardholder data against disclosure and misuse. 3.5] | Technical security | Preventive | |
| Include recommended cryptographic key management procedures for cloud service providers in the cryptographic key management procedures. CC ID 13152 | Technical security | Preventive | |
| Include requesting cryptographic key types in the cryptographic key management procedures. CC ID 13151 | Technical security | Preventive | |
| Include the establishment of cryptographic keys in the cryptographic key management procedures. CC ID 06540 | Technical security | Preventive | |
| Include offsite backups of cryptographic keys in the cryptographic key management procedures. CC ID 13127 | Technical security | Preventive | |
| Require key custodians to sign the cryptographic key management policy. CC ID 01308 | Technical security | Preventive | |
| Establish, implement, and maintain requirements for Personal Identity Verification authentication certificates. CC ID 06587 | Technical security | Preventive | |
| Establish, implement, and maintain Public Key certificate application procedures. CC ID 07079 | Technical security | Preventive | |
| Include the Identification and Authentication of individuals or entities in the Public Key certificate application procedures. CC ID 07080 | Technical security | Preventive | |
| Include approving or rejecting Public Key certificate applications in the Public Key certificate application procedure. CC ID 07081 | Technical security | Preventive | |
| Include revocation of Public Key certificates in the Public Key certificate procedures. CC ID 07082 | Technical security | Preventive | |
| Publish revoked Public Key certificates in the Certificate Revocation List. CC ID 07089 | Technical security | Preventive | |
| Establish, implement, and maintain Public Key renewal or rekeying request procedures. CC ID 07083 | Technical security | Preventive | |
| Include identification and authentication in Public Key renewal or rekeying request procedures. CC ID 11816 | Technical security | Preventive | |
| Establish, implement, and maintain Public Key certificate procedures. CC ID 07085 | Technical security | Preventive | |
| Include signing and issuing Public Key certificates in the Public Key certificate procedures. CC ID 11817 | Technical security | Preventive | |
| Include publishing Public Key certificates in the Public Key certificate procedures. CC ID 07087 | Technical security | Preventive | |
| Include access to issued Public Key certificates in the Public Key certificate procedures. CC ID 07086 | Technical security | Preventive | |
| Authorize transactions of data transmitted over public networks or shared data networks. CC ID 00566 | Technical security | Preventive | |
| Establish, implement, and maintain a malicious code protection program. CC ID 00574 [{make known} Ensure that security policies and operational procedures for protecting systems against malware are documented, in use, and known to all affected parties. 5.4 Protect all systems against malware and regularly update anti-virus software or programs. Requirement 5] | Technical security | Preventive | |
| Establish, implement, and maintain malicious code protection procedures. CC ID 15483 | Technical security | Preventive | |
| Establish, implement, and maintain a malicious code protection policy. CC ID 15478 | Technical security | Preventive | |
| Establish, implement, and maintain a malicious code outbreak recovery plan. CC ID 01310 | Technical security | Corrective | |
| Establish, implement, and maintain a physical security program. CC ID 11757 [{make known} Ensure that security policies and operational procedures for restricting physical access to cardholder data are documented, in use, and known to all affected parties. 9.10] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain physical security plans. CC ID 13307 | Physical and environmental protection | Preventive | |
| Include a maintenance schedule for the physical security plan in the physical security plan. CC ID 13309 | Physical and environmental protection | Preventive | |
| Document any reasons for modifying or refraining from modifying the physical security plan after it has been reviewed. CC ID 13315 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain physical security procedures. CC ID 13076 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a facility physical security program. CC ID 00711 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain opening procedures for businesses. CC ID 16671 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain closing procedures for businesses. CC ID 16670 | Physical and environmental protection | Preventive | |
| Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050 | Physical and environmental protection | Preventive | |
| Define communication methods for reporting crimes. CC ID 06349 | Physical and environmental protection | Preventive | |
| Include identification cards or badges in the physical security program. CC ID 14818 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain floor plans. CC ID 16419 | Physical and environmental protection | Preventive | |
| Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420 | Physical and environmental protection | Preventive | |
| Post and maintain security signage for all facilities. CC ID 02201 | Physical and environmental protection | Preventive | |
| Identify and document physical access controls for all physical entry points. CC ID 01637 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain physical access procedures. CC ID 13629 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a visitor access permission policy. CC ID 06699 [Implement procedures to identify and authorize visitors. 9.4] | Physical and environmental protection | Preventive | |
| Escort visitors within the facility, as necessary. CC ID 06417 [Include in the visitor identification procedures Visitors are authorized before entering, and escorted at all times within, areas where cardholder data is processed or maintained. 9.4.1] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain procedures for changing a visitor's access requirements. CC ID 12048 | Physical and environmental protection | Preventive | |
| Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436 | Physical and environmental protection | Preventive | |
| Authorize physical access to sensitive areas based on job functions. CC ID 12462 [Control physical access for onsite personnel to sensitive areas as follows: - Access must be authorized and based on individual yle="background-color:#F0BBBC;" class="term_primary-noun">job function. - Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled. 9.3] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain physical identification procedures. CC ID 00713 [Develop procedures to easily distinguish between onsite personnel and visitors, to include: - Identifying onsite personnel and visitors (for example, assigning badges) - Changes to access requirements - Revoking or terminating onsite personnel and expired visitor identification (such as ID badges). 9.2] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819 | Physical and environmental protection | Preventive | |
| Document all lost badges in a lost badge list. CC ID 12448 | Physical and environmental protection | Corrective | |
| Establish, implement, and maintain identification issuance procedures for identification cards or badges. CC ID 06598 [Develop procedures to easily distinguish between onsite personnel and visitors, to include: - Identifying onsite personnel and visitors (for example, assigning badges) - Changes to access requirements - Revoking or terminating onsite personnel and expired visitor identification (such as ID badges). 9.2] | Physical and environmental protection | Preventive | |
| Include error handling controls in identification issuance procedures. CC ID 13709 | Physical and environmental protection | Preventive | |
| Include information security in the identification issuance procedures. CC ID 15425 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426 | Physical and environmental protection | Preventive | |
| Include an identity registration process in the identification issuance procedures. CC ID 11671 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain identification renewal procedures for identification cards or badges. CC ID 06599 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain identification mechanism termination procedures. CC ID 06306 [Develop procedures to easily distinguish between onsite personnel and visitors, to include: - Identifying onsite personnel and visitors (for example, assigning badges) - Changes to access requirements - Revoking or terminating onsite personnel and expired visitor identification (such as ID badges). 9.2] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a door security standard. CC ID 06686 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a lock and access mechanism inventory (keys, lock combinations, or key cards) for all physical access control systems. CC ID 00748 | Physical and environmental protection | Preventive | |
| Record the assigned access mechanism serial number or cipher lock code when issuing controlled items. CC ID 06715 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a window security standard. CC ID 06689 | Physical and environmental protection | Preventive | |
| Post signs at all physical entry points stating the organization's right to inspect upon entry. CC ID 02204 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain after hours facility access procedures. CC ID 06340 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a guideline for working in a secure area. CC ID 04538 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain emergency re-entry procedures. CC ID 11672 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain emergency exit procedures. CC ID 01252 | Physical and environmental protection | Preventive | |
| Establish, Implement, and maintain a camera operating policy. CC ID 15456 | Physical and environmental protection | Preventive | |
| Require all visitors to sign in to the visitor log before the entrance of a visitor to the facility. CC ID 06700 | Physical and environmental protection | Preventive | |
| Record the date and time of entry in the visitor log. CC ID 13255 | Physical and environmental protection | Preventive | |
| Record the onsite personnel authorizing physical access for the visitor in the visitor log. CC ID 12466 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a physical access log. CC ID 12080 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain physical security threat reports. CC ID 02207 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a facility wall standard. CC ID 06692 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a media protection policy. CC ID 14029 | Physical and environmental protection | Preventive | |
| Include compliance requirements in the media protection policy. CC ID 14185 | Physical and environmental protection | Preventive | |
| Include coordination amongst entities in the media protection policy. CC ID 14184 | Physical and environmental protection | Preventive | |
| Include management commitment in the media protection policy. CC ID 14182 | Physical and environmental protection | Preventive | |
| Include roles and responsibilities in the media protection policy. CC ID 14180 | Physical and environmental protection | Preventive | |
| Include the scope in the media protection policy. CC ID 14167 | Physical and environmental protection | Preventive | |
| Include the purpose in the media protection policy. CC ID 14166 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain media protection procedures. CC ID 14062 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain storage media access control procedures. CC ID 00959 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain electronic media storage container repair guidelines. CC ID 02200 | Physical and environmental protection | Preventive | |
| Include Information Technology assets in the asset removal policy. CC ID 13162 | Physical and environmental protection | Preventive | |
| Specify the assets to be returned or removed in the asset removal policy. CC ID 13163 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain asset removal procedures or asset decommissioning procedures. CC ID 04540 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain missing asset reporting procedures. CC ID 06336 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain end user computing device security guidelines. CC ID 00719 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a locking screen saver policy. CC ID 06717 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a mobile device management program. CC ID 15212 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a mobile device management policy. CC ID 15214 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain mobile device emergency sanitization procedures. CC ID 16454 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain mobile device security guidelines. CC ID 04723 | Physical and environmental protection | Preventive | |
| Include the expectation of data loss in the event of sanitizing the mobile device in the mobile device security guidelines. CC ID 12292 | Physical and environmental protection | Preventive | |
| Include legal requirements in the mobile device security guidelines. CC ID 12291 | Physical and environmental protection | Preventive | |
| Include prohibiting the usage of unapproved application stores in the mobile device security guidelines. CC ID 12290 | Physical and environmental protection | Preventive | |
| Include requiring users to create data backups in the mobile device security guidelines. CC ID 12289 | Physical and environmental protection | Preventive | |
| Include the definition of mobile devices in the mobile device security guidelines. CC ID 12288 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain asset return procedures. CC ID 04537 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain open storage container procedures. CC ID 02198 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a clean desk policy. CC ID 06534 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain contact card reader security guidelines. CC ID 06588 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain contactless card reader security guidelines. CC ID 06589 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain Personal Identification Number input device security guidelines. CC ID 06590 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a vehicle access program. CC ID 02216 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain returned card procedures. CC ID 13567 | Physical and environmental protection | Preventive | |
| Establish and maintain the physical security of non-issued payment cards. CC ID 06402 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain payment card disposal procedures. CC ID 16137 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a mailing control log. CC ID 16136 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain payment card usage security measures. CC ID 06406 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain payment card disposal procedures. CC ID 16135 | Physical and environmental protection | Preventive | |
| Establish and maintain security classifications for network cabling. CC ID 08627 | Physical and environmental protection | Preventive | |
| Establish and maintain documentation for network cabling schemes. CC ID 08641 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a business continuity program. CC ID 13210 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain system continuity plan strategies. CC ID 00735 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a critical third party list. CC ID 06815 [Maintain a list of service providers. 12.8.1] | Operational and Systems Continuity | Preventive | |
| Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a personnel management program. CC ID 14018 | Human Resources management | Preventive | |
| Establish, implement, and maintain onboarding procedures for new hires. CC ID 11760 | Human Resources management | Preventive | |
| Establish, implement, and maintain a personnel security program. CC ID 10628 | Human Resources management | Preventive | |
| Establish, implement, and maintain personnel screening procedures. CC ID 11700 | Human Resources management | Preventive | |
| Perform a criminal records check during personnel screening. CC ID 06643 | Human Resources management | Preventive | |
| Document any reasons a full criminal records check could not be performed. CC ID 13305 | Human Resources management | Preventive | |
| Perform an academic records check during personnel screening. CC ID 06647 | Human Resources management | Preventive | |
| Establish, implement, and maintain training plans. CC ID 00828 | Human Resources management | Preventive | |
| Establish, implement, and maintain a security awareness program. CC ID 11746 [Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security. 12.6] | Human Resources management | Preventive | |
| Establish, implement, and maintain a security awareness and training policy. CC ID 14022 | Human Resources management | Preventive | |
| Include compliance requirements in the security awareness and training policy. CC ID 14092 | Human Resources management | Preventive | |
| Include coordination amongst entities in the security awareness and training policy. CC ID 14091 | Human Resources management | Preventive | |
| Establish, implement, and maintain security awareness and training procedures. CC ID 14054 | Human Resources management | Preventive | |
| Include management commitment in the security awareness and training policy. CC ID 14049 | Human Resources management | Preventive | |
| Include roles and responsibilities in the security awareness and training policy. CC ID 14048 | Human Resources management | Preventive | |
| Include the scope in the security awareness and training policy. CC ID 14047 | Human Resources management | Preventive | |
| Include the purpose in the security awareness and training policy. CC ID 14045 | Human Resources management | Preventive | |
| Include configuration management procedures in the security awareness program. CC ID 13967 | Human Resources management | Preventive | |
| Document security awareness requirements. CC ID 12146 | Human Resources management | Preventive | |
| Include safeguards for information systems in the security awareness program. CC ID 13046 | Human Resources management | Preventive | |
| Include security policies and security standards in the security awareness program. CC ID 13045 | Human Resources management | Preventive | |
| Include mobile device security guidelines in the security awareness program. CC ID 11803 | Human Resources management | Preventive | |
| Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 | Human Resources management | Preventive | |
| Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 | Human Resources management | Preventive | |
| Include remote access in the security awareness program. CC ID 13892 | Human Resources management | Preventive | |
| Document the goals of the security awareness program. CC ID 12145 | Human Resources management | Preventive | |
| Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 | Human Resources management | Preventive | |
| Document the scope of the security awareness program. CC ID 12148 | Human Resources management | Preventive | |
| Establish, implement, and maintain a security awareness baseline. CC ID 12147 | Human Resources management | Preventive | |
| Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 [Require personnel to acknowledge at least annually that they have read and understood the security policy and procedures. 12.6.2] | Human Resources management | Preventive | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 [{make known} Ensure that security policies and operational procedures for protecting stored cardholder data are documented, in use, and known to all affected parties. 3.7] | Operational management | Preventive | |
| Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266 | Operational management | Preventive | |
| Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283 | Operational management | Preventive | |
| Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853 | Operational management | Preventive | |
| Establish, implement, and maintain a compliance policy. CC ID 14807 | Operational management | Preventive | |
| Include the standard of conduct and accountability in the compliance policy. CC ID 14813 | Operational management | Preventive | |
| Include the scope in the compliance policy. CC ID 14812 | Operational management | Preventive | |
| Include roles and responsibilities in the compliance policy. CC ID 14811 | Operational management | Preventive | |
| Include a commitment to continual improvement in the compliance policy. CC ID 14810 | Operational management | Preventive | |
| Include management commitment in the compliance policy. CC ID 14808 | Operational management | Preventive | |
| Establish, implement, and maintain a governance policy. CC ID 15587 | Operational management | Preventive | |
| Include a commitment to continuous improvement in the governance policy. CC ID 15595 | Operational management | Preventive | |
| Include roles and responsibilities in the governance policy. CC ID 15594 | Operational management | Preventive | |
| Establish, implement, and maintain an internal control framework. CC ID 00820 | Operational management | Preventive | |
| Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Operational management | Preventive | |
| Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Operational management | Preventive | |
| Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 | Operational management | Preventive | |
| Include continuous service account management procedures in the internal control framework. CC ID 13860 | Operational management | Preventive | |
| Include threat assessment in the internal control framework. CC ID 01347 | Operational management | Preventive | |
| Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 | Operational management | Preventive | |
| Include personnel security procedures in the internal control framework. CC ID 01349 | Operational management | Preventive | |
| Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 | Operational management | Preventive | |
| Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 | Operational management | Preventive | |
| Include security information sharing procedures in the internal control framework. CC ID 06489 | Operational management | Preventive | |
| Include security incident response procedures in the internal control framework. CC ID 01359 | Operational management | Preventive | |
| Include incident response escalation procedures in the internal control framework. CC ID 11745 | Operational management | Preventive | |
| Include continuous user account management procedures in the internal control framework. CC ID 01360 | Operational management | Preventive | |
| Include emergency response procedures in the internal control framework. CC ID 06779 | Operational management | Detective | |
| Authorize and document all exceptions to the internal control framework. CC ID 06781 | Operational management | Preventive | |
| Establish, implement, and maintain a cybersecurity policy. CC ID 16833 | Operational management | Preventive | |
| Establish, implement, and maintain an information security program. CC ID 00812 | Operational management | Preventive | |
| Include physical safeguards in the information security program. CC ID 12375 | Operational management | Preventive | |
| Include technical safeguards in the information security program. CC ID 12374 | Operational management | Preventive | |
| Include administrative safeguards in the information security program. CC ID 12373 | Operational management | Preventive | |
| Include system development in the information security program. CC ID 12389 | Operational management | Preventive | |
| Include system maintenance in the information security program. CC ID 12388 | Operational management | Preventive | |
| Include system acquisition in the information security program. CC ID 12387 | Operational management | Preventive | |
| Include access control in the information security program. CC ID 12386 | Operational management | Preventive | |
| Include operations management in the information security program. CC ID 12385 | Operational management | Preventive | |
| Include communication management in the information security program. CC ID 12384 | Operational management | Preventive | |
| Include environmental security in the information security program. CC ID 12383 | Operational management | Preventive | |
| Include physical security in the information security program. CC ID 12382 | Operational management | Preventive | |
| Include human resources security in the information security program. CC ID 12381 | Operational management | Preventive | |
| Include asset management in the information security program. CC ID 12380 | Operational management | Preventive | |
| Include a continuous monitoring program in the information security program. CC ID 14323 | Operational management | Preventive | |
| Include change management procedures in the continuous monitoring plan. CC ID 16227 | Operational management | Preventive | |
| include recovery procedures in the continuous monitoring plan. CC ID 16226 | Operational management | Preventive | |
| Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Operational management | Preventive | |
| Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Operational management | Preventive | |
| Include how the information security department is organized in the information security program. CC ID 12379 | Operational management | Preventive | |
| Include risk management in the information security program. CC ID 12378 | Operational management | Preventive | |
| Include mitigating supply chain risks in the information security program. CC ID 13352 | Operational management | Preventive | |
| Establish, implement, and maintain an information security policy. CC ID 11740 [Maintain a policy that addresses information security for all personnel. Requirement 12 Establish, publish, maintain, and disseminate a security policy. 12.1 Review the security policy at least annually and update the policy when the environment changes. 12.1.1 Review the security policy at least annually and update the policy when the environment changes. 12.1.1] | Operational management | Preventive | |
| Include business processes in the information security policy. CC ID 16326 | Operational management | Preventive | |
| Include the information security strategy in the information security policy. CC ID 16125 | Operational management | Preventive | |
| Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Operational management | Preventive | |
| Include roles and responsibilities in the information security policy. CC ID 16120 | Operational management | Preventive | |
| Include a commitment to the information security requirements in the information security policy. CC ID 13496 | Operational management | Preventive | |
| Include information security objectives in the information security policy. CC ID 13493 | Operational management | Preventive | |
| Include the use of Cloud Services in the information security policy. CC ID 13146 | Operational management | Preventive | |
| Include notification procedures in the information security policy. CC ID 16842 | Operational management | Preventive | |
| Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 | Operational management | Preventive | |
| Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Operational management | Preventive | |
| Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 [Ensure that the security policy and procedures clearly define information security responsibilities for all personnel. 12.4] | Operational management | Preventive | |
| Establish, implement, and maintain a social media governance program. CC ID 06536 | Operational management | Preventive | |
| Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 | Operational management | Preventive | |
| Include explicit restrictions in the social media acceptable use policy. CC ID 06655 | Operational management | Preventive | |
| Include contributive content sites in the social media acceptable use policy. CC ID 06656 | Operational management | Preventive | |
| Establish, implement, and maintain operational control procedures. CC ID 00831 | Operational management | Preventive | |
| Include assigning and approving operations in operational control procedures. CC ID 06382 | Operational management | Preventive | |
| Include startup processes in operational control procedures. CC ID 00833 | Operational management | Preventive | |
| Include change control processes in the operational control procedures. CC ID 16793 | Operational management | Preventive | |
| Establish and maintain a data processing run manual. CC ID 00832 | Operational management | Preventive | |
| Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 | Operational management | Preventive | |
| Include metrics in the standard operating procedures manual. CC ID 14988 | Operational management | Preventive | |
| Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Operational management | Preventive | |
| Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Operational management | Preventive | |
| Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Operational management | Preventive | |
| Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Operational management | Preventive | |
| Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Operational management | Preventive | |
| Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Operational management | Preventive | |
| Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Operational management | Preventive | |
| Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Operational management | Preventive | |
| Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Operational management | Preventive | |
| Include information on system performance in the standard operating procedures manual. CC ID 14965 | Operational management | Preventive | |
| Include contact details in the standard operating procedures manual. CC ID 14962 | Operational management | Preventive | |
| Update operating procedures that contribute to user errors. CC ID 06935 | Operational management | Corrective | |
| Establish, implement, and maintain a job scheduling methodology. CC ID 00834 | Operational management | Preventive | |
| Establish and maintain a job schedule exceptions list. CC ID 00835 | Operational management | Preventive | |
| Establish, implement, and maintain a data processing continuity plan. CC ID 00836 | Operational management | Preventive | |
| Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 | Operational management | Preventive | |
| Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 [Develop usage policies for critical technologies and define proper use of these technologies. 12.3] | Operational management | Preventive | |
| Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 [Require that usage policies include: Explicit approval by authorized parties 12.3.1] | Operational management | Preventive | |
| Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 [Require that usage policies include: For personnel accessing cardholder data via remote-access technologies, prohibit the copying, moving, and storage of cardholder data onto local hard drives and removable electronic media, unless explicitly authorized for a defined business need. Where there is an authorized business need, the usage policies must require the data be protected in accordance with all applicable PCI DSS Requirements. 12.3.10] | Operational management | Preventive | |
| Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Operational management | Preventive | |
| Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Operational management | Preventive | |
| Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Operational management | Preventive | |
| Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Operational management | Preventive | |
| Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Operational management | Preventive | |
| Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 | Operational management | Preventive | |
| Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Operational management | Preventive | |
| Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 | Operational management | Preventive | |
| Include asset tags in the Acceptable Use Policy. CC ID 01354 [Require that usage policies include: A method to accurately and readily determine owner, contact information, and purpose (for example, labeling, coding, and/or inventorying of devices) 12.3.4] | Operational management | Preventive | |
| Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Operational management | Preventive | |
| Include asset use policies in the Acceptable Use Policy. CC ID 01355 [Require that usage policies include: Acceptable uses of the technology 12.3.5] | Operational management | Preventive | |
| Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 [Require that usage policies include: A list of all such devices and personnel with access 12.3.3] | Operational management | Preventive | |
| Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 [Require that usage policies include: Authentication for use of the technology 12.3.2] | Operational management | Preventive | |
| Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 [Require that usage policies include: For personnel accessing cardholder data via remote-access technologies, prohibit the copying, moving, and storage of cardholder data onto local hard drives and removable electronic media, unless explicitly authorized for a defined business need. Where there is an authorized business need, the usage policies must require the data be protected in accordance with all applicable PCI DSS Requirements. 12.3.10] | Operational management | Preventive | |
| Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 | Operational management | Preventive | |
| Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 [Require that usage policies include: Acceptable network locations for the technologies 12.3.6] | Operational management | Preventive | |
| Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 [Require that usage policies include: List of company-approved products 12.3.7] | Operational management | Preventive | |
| Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 | Operational management | Preventive | |
| Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 | Operational management | Corrective | |
| Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311 | Operational management | Preventive | |
| Include a software installation policy in the Acceptable Use Policy. CC ID 06749 | Operational management | Preventive | |
| Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 [Require that usage policies include: ">Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity 12.3.8] | Operational management | Preventive | |
| Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 | Operational management | Preventive | |
| Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 | Operational management | Preventive | |
| Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 | Operational management | Preventive | |
| Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 | Operational management | Preventive | |
| Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 | Operational management | Preventive | |
| Establish, implement, and maintain an e-mail policy. CC ID 06439 | Operational management | Preventive | |
| Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Operational management | Preventive | |
| Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 | Operational management | Preventive | |
| Establish, implement, and maintain nondisclosure agreements. CC ID 04536 | Operational management | Preventive | |
| Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 | Operational management | Preventive | |
| Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 | Operational management | Preventive | |
| Establish, implement, and maintain a use of information agreement. CC ID 06215 | Operational management | Preventive | |
| Include use limitations in the use of information agreement. CC ID 06244 | Operational management | Preventive | |
| Include disclosure requirements in the use of information agreement. CC ID 11735 | Operational management | Preventive | |
| Include information recipients in the use of information agreement. CC ID 06245 | Operational management | Preventive | |
| Include reporting out of scope use of information in the use of information agreement. CC ID 06246 | Operational management | Preventive | |
| Include disclosure of information in the use of information agreement. CC ID 11830 | Operational management | Preventive | |
| Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 | Operational management | Preventive | |
| Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 | Operational management | Preventive | |
| Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131 | Operational management | Preventive | |
| Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132 | Operational management | Preventive | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 | Operational management | Preventive | |
| Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 | Operational management | Preventive | |
| Document the decision for assigning an asset to a specific asset classification in the Asset Classification Policy. CC ID 07185 | Operational management | Preventive | |
| Assign decomposed system components the same asset classification as the originating system. CC ID 06605 | Operational management | Preventive | |
| Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 [Maintain an inventory of system components that are in scope for PCI DSS. 2.4] | Operational management | Preventive | |
| Include all account types in the Information Technology inventory. CC ID 13311 | Operational management | Preventive | |
| Include each Information System's major applications in the Information Technology inventory. CC ID 01407 | Operational management | Preventive | |
| Categorize all major applications according to the business information they process. CC ID 07182 | Operational management | Preventive | |
| Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164 | Operational management | Preventive | |
| Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408 | Operational management | Preventive | |
| Include each Information System's minor applications in the Information Technology inventory. CC ID 01409 | Operational management | Preventive | |
| Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729 | Operational management | Preventive | |
| Establish, implement, and maintain a hardware asset inventory. CC ID 00691 | Operational management | Preventive | |
| Include network equipment in the Information Technology inventory. CC ID 00693 [Maintain an inventory of authorized wireless access points including a documented business justification. 11.1.1] | Operational management | Preventive | |
| Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719 | Operational management | Preventive | |
| Include software in the Information Technology inventory. CC ID 00692 | Operational management | Preventive | |
| Establish and maintain a list of authorized software and versions required for each system. CC ID 12093 | Operational management | Preventive | |
| Establish, implement, and maintain a storage media inventory. CC ID 00694 [Properly maintain inventory logs of all media and conduct media inventories at least annually. 9.7.1 Properly maintain inventory logs of all media and conduct media inventories at least annually. 9.7.1] | Operational management | Preventive | |
| Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962 | Operational management | Detective | |
| Establish, implement, and maintain a records inventory and database inventory. CC ID 01260 | Operational management | Preventive | |
| Add inventoried assets to the asset register database, as necessary. CC ID 07051 | Operational management | Preventive | |
| Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181 | Operational management | Preventive | |
| Record the decommission date for applicable assets in the asset inventory. CC ID 14920 | Operational management | Preventive | |
| Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918 | Operational management | Preventive | |
| Record the review date for applicable assets in the asset inventory. CC ID 14919 | Operational management | Preventive | |
| Record services for applicable assets in the asset inventory. CC ID 13733 | Operational management | Preventive | |
| Record protocols for applicable assets in the asset inventory. CC ID 13734 | Operational management | Preventive | |
| Record the software version in the asset inventory. CC ID 12196 | Operational management | Preventive | |
| Record the publisher for applicable assets in the asset inventory. CC ID 13725 | Operational management | Preventive | |
| Record the authentication system in the asset inventory. CC ID 13724 | Operational management | Preventive | |
| Tag unsupported assets in the asset inventory. CC ID 13723 | Operational management | Preventive | |
| Record the install date for applicable assets in the asset inventory. CC ID 13720 | Operational management | Preventive | |
| Record the make, model of device for applicable assets in the asset inventory. CC ID 12465 [Maintain an up-to-date list of devices. The list should include the following: - Make, model of device - Location of device (for example, the address of the site or facility where the device is located) - Device serial number or other method of unique identification. 9.9.1] | Operational management | Preventive | |
| Record the asset tag for physical assets in the asset inventory. CC ID 06632 | Operational management | Preventive | |
| Record the host name of applicable assets in the asset inventory. CC ID 13722 | Operational management | Preventive | |
| Record network ports for applicable assets in the asset inventory. CC ID 13730 | Operational management | Preventive | |
| Record the MAC address for applicable assets in the asset inventory. CC ID 13721 | Operational management | Preventive | |
| Record the operating system type for applicable assets in the asset inventory. CC ID 06633 | Operational management | Preventive | |
| Record the department associated with the asset in the asset inventory. CC ID 12084 | Operational management | Preventive | |
| Record the physical location for applicable assets in the asset inventory. CC ID 06634 [Maintain an up-to-date list of devices. The list should include the following: - Make, model of device - Location of device (for example, the address of the site or facility where the device is located) - Device serial number or other method of unique identification. 9.9.1] | Operational management | Preventive | |
| Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635 [Maintain an up-to-date list of devices. The list should include the following: - Make, model of device - Location of device (for example, the address of the site or facility where the device is located) - Device serial number or other method of unique identification. 9.9.1] | Operational management | Preventive | |
| Record the firmware version for applicable assets in the asset inventory. CC ID 12195 | Operational management | Preventive | |
| Record the related business function for applicable assets in the asset inventory. CC ID 06636 | Operational management | Preventive | |
| Record the deployment environment for applicable assets in the asset inventory. CC ID 06637 | Operational management | Preventive | |
| Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638 | Operational management | Preventive | |
| Link the software asset inventory to the hardware asset inventory. CC ID 12085 | Operational management | Preventive | |
| Record the owner for applicable assets in the asset inventory. CC ID 06640 | Operational management | Preventive | |
| Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696 | Operational management | Preventive | |
| Record all changes to assets in the asset inventory. CC ID 12190 | Operational management | Preventive | |
| Record cloud service derived data in the asset inventory. CC ID 13007 | Operational management | Preventive | |
| Include cloud service customer data in the asset inventory. CC ID 13006 | Operational management | Preventive | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Preventive | |
| Include detection procedures in the Incident Management program. CC ID 00588 | Operational management | Preventive | |
| Include data loss event notifications in the Incident Response program. CC ID 00364 [Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum: - Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum - Specific incident response procedures - Business recovery and continuity procedures - Data backup processes - Analysis of legal requirements for reporting compromises - Coverage and responses of all critical system components - Reference or inclusion of incident response procedures from the payment brands. 12.10.1] | Operational management | Preventive | |
| Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954 [Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum: - Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum - Specific incident response procedures - Business recovery and continuity procedures - Data backup processes - Analysis of legal requirements for reporting compromises - Coverage and responses of all critical system components - Reference or inclusion of incident response procedures from the payment brands. 12.10.1] | Operational management | Preventive | |
| Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Operational management | Preventive | |
| Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985 | Operational management | Preventive | |
| Establish, implement, and maintain incident response notifications. CC ID 12975 | Operational management | Corrective | |
| Include information required by law in incident response notifications. CC ID 00802 | Operational management | Detective | |
| Title breach notifications "Notice of Data Breach". CC ID 12977 | Operational management | Preventive | |
| Display titles of incident response notifications clearly and conspicuously. CC ID 12986 | Operational management | Preventive | |
| Display headings in incident response notifications clearly and conspicuously. CC ID 12987 | Operational management | Preventive | |
| Design the incident response notification to call attention to its nature and significance. CC ID 12984 | Operational management | Preventive | |
| Use plain language to write incident response notifications. CC ID 12976 | Operational management | Preventive | |
| Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 | Operational management | Preventive | |
| Include the affected parties rights in the incident response notification. CC ID 16811 | Operational management | Preventive | |
| Include details of the investigation in incident response notifications. CC ID 12296 | Operational management | Preventive | |
| Include the issuer's name in incident response notifications. CC ID 12062 | Operational management | Preventive | |
| Include a "What Happened" heading in breach notifications. CC ID 12978 | Operational management | Preventive | |
| Include a general description of the data loss event in incident response notifications. CC ID 04734 | Operational management | Preventive | |
| Include time information in incident response notifications. CC ID 04745 | Operational management | Preventive | |
| Include the identification of the data source in incident response notifications. CC ID 12305 | Operational management | Preventive | |
| Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 | Operational management | Preventive | |
| Include the type of information that was lost in incident response notifications. CC ID 04735 | Operational management | Preventive | |
| Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 | Operational management | Preventive | |
| Include a "What We Are Doing" heading in the breach notification. CC ID 12982 | Operational management | Preventive | |
| Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 | Operational management | Preventive | |
| Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 | Operational management | Preventive | |
| Include a "For More Information" heading in breach notifications. CC ID 12981 | Operational management | Preventive | |
| Include details of the companies and persons involved in incident response notifications. CC ID 12295 | Operational management | Preventive | |
| Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 | Operational management | Preventive | |
| Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Operational management | Preventive | |
| Include any consequences in the incident response notifications. CC ID 12604 | Operational management | Preventive | |
| Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 | Operational management | Preventive | |
| Include a "What You Can Do" heading in the breach notification. CC ID 12980 | Operational management | Preventive | |
| Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 | Operational management | Detective | |
| Include contact information in incident response notifications. CC ID 04739 | Operational management | Preventive | |
| Include contact information in the substitute incident response notification. CC ID 16776 | Operational management | Preventive | |
| Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748 | Operational management | Preventive | |
| Analyze security violations in Suspicious Activity Reports. CC ID 00591 | Operational management | Preventive | |
| Update the incident response procedures using the lessons learned. CC ID 01233 [Develop a process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments. 12.10.6] | Operational management | Preventive | |
| Include incident response procedures in the Incident Management program. CC ID 01218 [Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum: - Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum - Specific incident response procedures - Business recovery and continuity procedures - Data backup processes - Analysis of legal requirements for reporting compromises - Coverage and responses of all critical system components - Reference or inclusion of incident response procedures from the payment brands. 12.10.1] | Operational management | Preventive | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 [Implement an incident response plan. Be prepared to respond immediately to a system breach. 12.10 Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum: - Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum - Specific incident response procedures - Business recovery and continuity procedures - Data backup processes - Analysis of legal requirements for reporting compromises - Coverage and responses of all critical system components - Reference or inclusion of incident response procedures from the payment brands. 12.10.1] | Operational management | Preventive | |
| Create an incident response report following an incident response. CC ID 12700 | Operational management | Preventive | |
| Include disciplinary actions taken in the incident response report. CC ID 16810 | Operational management | Preventive | |
| Include the persons responsible for the incident in the incident response report. CC ID 16808 | Operational management | Preventive | |
| Include the number of individuals the incident response notification was sent to in the incident response report. CC ID 16789 | Operational management | Preventive | |
| Include any consequences to organizational reputation and confidence due to the incident in the incident response report. CC ID 12728 | Operational management | Preventive | |
| Include the number of customers that were affected by the incident in the incident response report. CC ID 12727 | Operational management | Preventive | |
| Include investments associated with the incident in the incident response report. CC ID 12726 | Operational management | Preventive | |
| Include costs associated with the incident in the incident response report. CC ID 12725 | Operational management | Preventive | |
| Include losses due to the incident in the incident response report. CC ID 12724 | Operational management | Preventive | |
| Include a description of the impact the incident had on customer service in the incident response report. CC ID 12735 | Operational management | Preventive | |
| Include foregone revenue from the incident in the incident response report. CC ID 12723 | Operational management | Preventive | |
| Include the magnitude of the incident in the incident response report. CC ID 12722 | Operational management | Preventive | |
| Include implications of the incident in the incident response report. CC ID 12721 | Operational management | Preventive | |
| Include measures to prevent similar incidents from occurring in the incident response report. CC ID 12720 | Operational management | Preventive | |
| Include breaches of regulatory requirements due to the incident in the incident response report. CC ID 12719 | Operational management | Preventive | |
| Include information on all affected assets in the incident response report. CC ID 12718 | Operational management | Preventive | |
| Include the scope of the incident in the incident response report. CC ID 12717 | Operational management | Preventive | |
| Include the duration of the incident in the incident response report. CC ID 12716 | Operational management | Preventive | |
| Include the extent of the incident in the incident response report. CC ID 12715 | Operational management | Preventive | |
| Include measures to mitigate the root causes of the incident in the incident response report. CC ID 12714 | Operational management | Preventive | |
| Include the reasons the incident occurred in the incident response report. CC ID 12711 | Operational management | Preventive | |
| Include the frequency of similar incidents occurring in the incident response report. CC ID 12712 | Operational management | Preventive | |
| Include lessons learned from the incident in the incident response report. CC ID 12713 | Operational management | Preventive | |
| Include where the incident occurred in the incident response report. CC ID 12710 | Operational management | Preventive | |
| Include when the incident occurred in the incident response report. CC ID 12709 | Operational management | Preventive | |
| Include corrective action taken to eradicate the incident in the incident response report. CC ID 12708 | Operational management | Preventive | |
| Include a description of the impact the incident had on regulatory compliance in the incident response report. CC ID 12704 | Operational management | Preventive | |
| Include a description of the impact the incident had on operations in the incident response report. CC ID 12703 | Operational management | Preventive | |
| Include an executive summary of the incident in the incident response report. CC ID 12702 | Operational management | Preventive | |
| Include a root cause analysis of the incident in the incident response report. CC ID 12701 | Operational management | Preventive | |
| Define target resolution times for incident response in the Incident Response program. CC ID 13072 | Operational management | Preventive | |
| Establish, implement, and maintain an incident response plan. CC ID 12056 | Operational management | Preventive | |
| Include addressing external communications in the incident response plan. CC ID 13351 | Operational management | Preventive | |
| Include addressing internal communications in the incident response plan. CC ID 13350 | Operational management | Preventive | |
| Include change control procedures in the incident response plan. CC ID 15479 | Operational management | Preventive | |
| Include addressing information sharing in the incident response plan. CC ID 13349 | Operational management | Preventive | |
| Include dynamic reconfiguration in the incident response plan. CC ID 14306 | Operational management | Preventive | |
| Include a definition of reportable incidents in the incident response plan. CC ID 14303 | Operational management | Preventive | |
| Include the management support needed for incident response in the incident response plan. CC ID 14300 | Operational management | Preventive | |
| Include root cause analysis in the incident response plan. CC ID 16423 | Operational management | Preventive | |
| Include how incident response fits into the organization in the incident response plan. CC ID 14294 | Operational management | Preventive | |
| Include the resources needed for incident response in the incident response plan. CC ID 14292 | Operational management | Preventive | |
| Establish, implement, and maintain a cyber incident response plan. CC ID 13286 | Operational management | Preventive | |
| Include incident response team structures in the Incident Response program. CC ID 01237 | Operational management | Preventive | |
| Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program. CC ID 12473 [Formally assign information security responsibilities for: Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations. 12.5.3] | Operational management | Preventive | |
| Include personnel contact information in the event of an incident in the Incident Response program. CC ID 06385 | Operational management | Preventive | |
| Include what information interested personnel and affected parties need in the event of an incident in the Incident Response program. CC ID 11789 | Operational management | Preventive | |
| Include identifying remediation actions in the incident response plan. CC ID 13354 | Operational management | Preventive | |
| Include procedures for providing updated status information to the crisis management team in the incident response plan. CC ID 12776 | Operational management | Preventive | |
| Include coverage of all system components in the Incident Response program. CC ID 11955 [Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum: - Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum - Specific incident response procedures - Business recovery and continuity procedures - Data backup processes - Analysis of legal requirements for reporting compromises - Coverage and responses of all critical system components - Reference or inclusion of incident response procedures from the payment brands. 12.10.1] | Operational management | Preventive | |
| Prepare for incident response notifications. CC ID 00584 | Operational management | Preventive | |
| Include incident response team services in the Incident Response program. CC ID 11766 | Operational management | Preventive | |
| Include the incident response training program in the Incident Response program. CC ID 06750 | Operational management | Preventive | |
| Establish, implement, and maintain an incident response policy. CC ID 14024 | Operational management | Preventive | |
| Include compliance requirements in the incident response policy. CC ID 14108 | Operational management | Preventive | |
| Include coordination amongst entities in the incident response policy. CC ID 14107 | Operational management | Preventive | |
| Include management commitment in the incident response policy. CC ID 14106 | Operational management | Preventive | |
| Include roles and responsibilities in the incident response policy. CC ID 14105 | Operational management | Preventive | |
| Include the scope in the incident response policy. CC ID 14104 | Operational management | Preventive | |
| Include the purpose in the incident response policy. CC ID 14101 | Operational management | Preventive | |
| Establish, implement, and maintain incident response procedures. CC ID 01206 | Operational management | Detective | |
| Include references to industry best practices in the incident response procedures. CC ID 11956 [Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum: - Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum - Specific incident response procedures - Business recovery and continuity procedures - Data backup processes - Analysis of legal requirements for reporting compromises - Coverage and responses of all critical system components - Reference or inclusion of incident response procedures from the payment brands. 12.10.1] | Operational management | Preventive | |
| Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949 [{intrusion detection system} {intrusion prevention system} In the incident response plan Include alerts from security monitoring systems, including but not limited to intrusion-detection, intrusion-prevention, firewalls, and file-integrity monitoring systems. 12.10.5] | Operational management | Preventive | |
| Include business continuity procedures in the Incident Response program. CC ID 06433 [Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum: - Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum - Specific incident response procedures - Business recovery and continuity procedures - Data backup processes - Analysis of legal requirements for reporting compromises - Coverage and responses of all critical system components - Reference or inclusion of incident response procedures from the payment brands. 12.10.1] | Operational management | Preventive | |
| Coordinate backup procedures as defined in the system continuity plan with backup procedures necessary for incident response procedures. CC ID 06432 [Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum: - Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum - Specific incident response procedures - Business recovery and continuity procedures - Data backup processes - Analysis of legal requirements for reporting compromises - Coverage and responses of all critical system components - Reference or inclusion of incident response procedures from the payment brands. 12.10.1] | Operational management | Preventive | |
| Include business recovery procedures in the Incident Response program. CC ID 11774 | Operational management | Preventive | |
| Establish, implement, and maintain a digital forensic evidence framework. CC ID 08652 | Operational management | Preventive | |
| Establish, implement, and maintain a chain of custody for all devices containing digital forensic evidence. CC ID 08686 | Operational management | Detective | |
| Define the business scenarios that require digital forensic evidence. CC ID 08653 | Operational management | Preventive | |
| Define the circumstances for collecting digital forensic evidence. CC ID 08657 | Operational management | Preventive | |
| Document the legal requirements for evidence collection. CC ID 08654 | Operational management | Preventive | |
| Establish, implement, and maintain a digital forensic evidence collection program. CC ID 08655 | Operational management | Preventive | |
| Include roles and responsibilities in the digital forensic evidence collection program. CC ID 15724 | Operational management | Preventive | |
| Include the hardware configuration and software configuration of the digital forensic equipment in the forensic investigation report. CC ID 08693 | Operational management | Detective | |
| Include documentation of the system containing and surrounding digital forensic evidence in the forensic investigation report. CC ID 08679 | Operational management | Detective | |
| Include the configuration settings of devices associated with digital forensic evidence in the forensic investigation report. CC ID 08676 | Operational management | Detective | |
| Include the external connections to systems containing digital forensic evidence in the forensic investigation report. CC ID 08680 | Operational management | Detective | |
| Include the electronic media storage devices containing digital forensic evidence in the forensic investigation report. CC ID 08695 | Operational management | Detective | |
| Include all system components of systems containing digital forensic evidence in the forensic investigation report. CC ID 08696 | Operational management | Detective | |
| Disseminate and communicate the incident response procedures to all interested personnel and affected parties. CC ID 01215 | Operational management | Preventive | |
| Establish, implement, and maintain a change control program. CC ID 00886 | Operational management | Preventive | |
| Establish, implement, and maintain a back-out plan. CC ID 13623 | Operational management | Preventive | |
| Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373 [Change control procedures related to the implementation of security patches and software modifications must include Back-out procedures. 6.4.5.4] | Operational management | Preventive | |
| Include documentation of the impact level of proposed changes in the change request. CC ID 11942 [Change control procedures related to the implementation of security patches and software modifications must include Documentation of impact. 6.4.5.1] | Operational management | Preventive | |
| Provide audit trails for all approved changes. CC ID 13120 | Operational management | Preventive | |
| Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391 | Operational management | Detective | |
| Establish, implement, and maintain a Configuration Management program. CC ID 00867 [{make known} Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties. 2.5 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. 2.2] | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain appropriate system labeling. CC ID 01900 | System hardening through configuration management | Preventive | |
| Include the identification number of the third party who performed the conformity assessment procedures on all promotional materials. CC ID 15041 | System hardening through configuration management | Preventive | |
| Include the identification number of the third party who conducted the conformity assessment procedures after the CE marking of conformity. CC ID 15040 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain a configuration management policy. CC ID 14023 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain configuration management procedures. CC ID 14074 | System hardening through configuration management | Preventive | |
| Include compliance requirements in the configuration management policy. CC ID 14072 | System hardening through configuration management | Preventive | |
| Include coordination amongst entities in the configuration management policy. CC ID 14071 | System hardening through configuration management | Preventive | |
| Include management commitment in the configuration management policy. CC ID 14070 | System hardening through configuration management | Preventive | |
| Include roles and responsibilities in the configuration management policy. CC ID 14069 | System hardening through configuration management | Preventive | |
| Include the scope in the configuration management policy. CC ID 14068 | System hardening through configuration management | Preventive | |
| Include the purpose in the configuration management policy. CC ID 14067 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain a configuration management plan. CC ID 01901 | System hardening through configuration management | Preventive | |
| Include configuration management procedures in the configuration management plan. CC ID 14248 | System hardening through configuration management | Preventive | |
| Include roles and responsibilities in the configuration management plan. CC ID 14247 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain system tracking documentation. CC ID 15266 | System hardening through configuration management | Preventive | |
| Include prioritization codes in the system tracking documentation. CC ID 15283 | System hardening through configuration management | Preventive | |
| Include the type and category of the request in the system tracking documentation. CC ID 15281 | System hardening through configuration management | Preventive | |
| Include contact information in the system tracking documentation. CC ID 15280 | System hardening through configuration management | Preventive | |
| Include the username in the system tracking documentation. CC ID 15278 | System hardening through configuration management | Preventive | |
| Include a problem description in the system tracking documentation. CC ID 15276 | System hardening through configuration management | Preventive | |
| Include affected systems in the system tracking documentation. CC ID 15275 | System hardening through configuration management | Preventive | |
| Include root causes in the system tracking documentation. CC ID 15274 | System hardening through configuration management | Preventive | |
| Include the name of who is responsible for resolution in the system tracking documentation. CC ID 15273 | System hardening through configuration management | Preventive | |
| Include current status in the system tracking documentation. CC ID 15272 | System hardening through configuration management | Preventive | |
| Record Configuration Management items in the Configuration Management database. CC ID 00861 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain a Configuration Management Database with accessible reporting capabilities. CC ID 02132 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain a configuration baseline based on the least functionality principle. CC ID 00862 | System hardening through configuration management | Preventive | |
| Include the measures used to account for any differences in operation between the test environments and production environments in the baseline configuration. CC ID 13285 | System hardening through configuration management | Preventive | |
| Include the differences between test environments and production environments in the baseline configuration. CC ID 13284 | System hardening through configuration management | Preventive | |
| Include the applied security patches in the baseline configuration. CC ID 13271 | System hardening through configuration management | Preventive | |
| Include the installed application software and version numbers in the baseline configuration. CC ID 13270 | System hardening through configuration management | Preventive | |
| Include installed custom software in the baseline configuration. CC ID 13274 | System hardening through configuration management | Preventive | |
| Include network ports in the baseline configuration. CC ID 13273 | System hardening through configuration management | Preventive | |
| Include the operating systems and version numbers in the baseline configuration. CC ID 13269 | System hardening through configuration management | Preventive | |
| Include backup procedures in the Configuration Management policy. CC ID 01314 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain a system hardening standard. CC ID 00876 | System hardening through configuration management | Preventive | |
| Include common security parameter settings in the configuration standards for all systems. CC ID 12544 | System hardening through configuration management | Preventive | |
| Provide documentation verifying devices are not susceptible to known exploits. CC ID 11987 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain system hardening procedures. CC ID 12001 | System hardening through configuration management | Preventive | |
| Document that all enabled functions support secure configurations. CC ID 11985 | System hardening through configuration management | Preventive | |
| Validate, approve, and document all UNIX shells prior to use. CC ID 02161 | System hardening through configuration management | Preventive | |
| Configure the "global Package signature checking" setting to organizational standards. CC ID 08735 | System hardening through configuration management | Preventive | |
| Configure the "Package signature checking" setting for "all configured repositories" to organizational standards. CC ID 08736 | System hardening through configuration management | Preventive | |
| Configure the "verify against the package database" setting for "all installed software packages" to organizational standards. CC ID 08737 | System hardening through configuration management | Preventive | |
| Configure the "isdn4k-utils" package to organizational standards. CC ID 08738 | System hardening through configuration management | Preventive | |
| Configure the "postfix" package to organizational standards. CC ID 08739 | System hardening through configuration management | Preventive | |
| Configure the "vsftpd" package to organizational standards. CC ID 08740 | System hardening through configuration management | Preventive | |
| Configure the "net-snmpd" package to organizational standards. CC ID 08741 | System hardening through configuration management | Preventive | |
| Configure the "rsyslog" package to organizational standards. CC ID 08742 | System hardening through configuration management | Preventive | |
| Configure the "ipsec-tools" package to organizational standards. CC ID 08743 | System hardening through configuration management | Preventive | |
| Configure the "pam_ccreds" package to organizational standards. CC ID 08744 | System hardening through configuration management | Preventive | |
| Configure the "talk-server" package to organizational standards. CC ID 08745 | System hardening through configuration management | Preventive | |
| Configure the "talk" package to organizational standards. CC ID 08746 | System hardening through configuration management | Preventive | |
| Configure the "irda-utils" package to organizational standards. CC ID 08747 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain an authenticator standard. CC ID 01702 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain an authenticator management system. CC ID 12031 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain authenticator procedures. CC ID 12002 | System hardening through configuration management | Preventive | |
| Configure the "all world-writable directories" user ownership to organizational standards. CC ID 08714 | System hardening through configuration management | Preventive | |
| Configure the "all rsyslog log" files group ownership to organizational standards. CC ID 08715 | System hardening through configuration management | Preventive | |
| Configure the "all rsyslog log" files user ownership to organizational standards. CC ID 08716 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain records management policies. CC ID 00903 | Records management | Preventive | |
| Define each system's preservation requirements for records and logs. CC ID 00904 | Records management | Detective | |
| Establish, implement, and maintain storage media disposition and destruction procedures. CC ID 11657 | Records management | Preventive | |
| Establish, implement, and maintain records disposition procedures. CC ID 00971 | Records management | Preventive | |
| Include methods to identify records that meet or exceed the record's retention event in the records disposition procedures. CC ID 11962 [{legal requirement} {regulatory requirement} Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes that include at least the following for all cardholder data (CHD) storage: - Limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements - Specific retention requirements for cardholder data - Processes for secure deletion of data when no longer needed - A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention. 3.1] | Records management | Preventive | |
| Include management commitment to secure development in the System Development Life Cycle program. CC ID 16386 | Systems design, build, and implementation | Preventive | |
| Update the system design, build, and implementation methodology to incorporate emerging standards. CC ID 07045 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain outsourced development procedures. CC ID 01141 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain a system design specification. CC ID 04557 | Systems design, build, and implementation | Preventive | |
| Document the system architecture in the system design specification. CC ID 12287 | Systems design, build, and implementation | Preventive | |
| Include hardware requirements in the system design specification. CC ID 08666 | Systems design, build, and implementation | Preventive | |
| Include communication links in the system design specification. CC ID 08665 | Systems design, build, and implementation | Preventive | |
| Include a description of each module and asset in the system design specification. CC ID 11734 | Systems design, build, and implementation | Preventive | |
| Include supporting software requirements in the system design specification. CC ID 08664 | Systems design, build, and implementation | Preventive | |
| Establish and maintain Application Programming Interface documentation. CC ID 12203 | Systems design, build, and implementation | Preventive | |
| Include configuration options in the Application Programming Interface documentation. CC ID 12205 | Systems design, build, and implementation | Preventive | |
| Include the logical data flows and process steps in the system design specification. CC ID 08668 | Systems design, build, and implementation | Preventive | |
| Establish and maintain the system design specification in a manner that is clear and easy to read. CC ID 12286 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain access control procedures for the test environment that match those of the production environment. CC ID 06793 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain payment card architectural designs. CC ID 16132 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain coding guidelines. CC ID 08661 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain human interface guidelines. CC ID 08662 | Systems design, build, and implementation | Preventive | |
| Include mechanisms for changing authenticators in human interface guidelines. CC ID 14944 | Systems design, build, and implementation | Preventive | |
| Include functionality for managing user data in human interface guidelines. CC ID 14928 | Systems design, build, and implementation | Preventive | |
| Establish and maintain User Interface documentation. CC ID 12204 | Systems design, build, and implementation | Preventive | |
| Include system messages in human interface guidelines. CC ID 08663 | Systems design, build, and implementation | Preventive | |
| Include measurable system performance requirements in the system design specification. CC ID 08667 | Systems design, build, and implementation | Preventive | |
| Include the data structure in the system design specification. CC ID 08669 | Systems design, build, and implementation | Preventive | |
| Include the input and output variables in the system design specification. CC ID 08670 | Systems design, build, and implementation | Preventive | |
| Include data encryption information in the system design specification. CC ID 12209 | Systems design, build, and implementation | Preventive | |
| Include records disposition information in the system design specification. CC ID 12208 | Systems design, build, and implementation | Preventive | |
| Include how data is managed in each module in the system design specification. CC ID 12207 | Systems design, build, and implementation | Preventive | |
| Include identifying restricted data in the system design specification. CC ID 12206 | Systems design, build, and implementation | Preventive | |
| Include in the system documentation methodologies for authenticating the hardware security module. CC ID 12258 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain an acceptable use policy for the hardware security module. CC ID 12247 | Systems design, build, and implementation | Preventive | |
| Include roles and responsibilities in the acceptable use policy for the hardware security module. CC ID 12264 | Systems design, build, and implementation | Preventive | |
| Include the environmental requirements in the acceptable use policy for the hardware security module. CC ID 12263 | Systems design, build, and implementation | Preventive | |
| Include device identification in the acceptable use policy for the hardware security module. CC ID 12262 | Systems design, build, and implementation | Preventive | |
| Include device functionality in the acceptable use policy for the hardware security module. CC ID 12261 | Systems design, build, and implementation | Preventive | |
| Include administrative responsibilities in the acceptable use policy for the hardware security module. CC ID 12260 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain session security coding standards. CC ID 04584 | Systems design, build, and implementation | Preventive | |
| Establish and maintain a cryptographic architecture document. CC ID 12476 | Systems design, build, and implementation | Preventive | |
| Include the algorithms used in the cryptographic architecture document. CC ID 12483 | Systems design, build, and implementation | Preventive | |
| Include an inventory of all protected areas in the cryptographic architecture document. CC ID 12486 | Systems design, build, and implementation | Preventive | |
| Include a description of the key usage for each key in the cryptographic architecture document. CC ID 12484 | Systems design, build, and implementation | Preventive | |
| Include descriptions of all cryptographic keys in the cryptographic architecture document. CC ID 12487 | Systems design, build, and implementation | Preventive | |
| Include descriptions of the cryptographic key strength of all cryptographic keys in the cryptographic architecture document. CC ID 12488 | Systems design, build, and implementation | Preventive | |
| Include each cryptographic key's expiration date in the cryptographic architecture document. CC ID 12489 | Systems design, build, and implementation | Preventive | |
| Include the protocols used in the cryptographic architecture document. CC ID 12485 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain a system implementation representation document. CC ID 04558 | Systems design, build, and implementation | Preventive | |
| Include the source code in the implementation representation document. CC ID 13089 | Systems design, build, and implementation | Preventive | |
| Include the hardware schematics in the implementation representation document. CC ID 13098 | Systems design, build, and implementation | Preventive | |
| Review and update the security architecture, as necessary. CC ID 14277 | Systems design, build, and implementation | Corrective | |
| Review and update the privacy architecture, as necessary. CC ID 14674 | Systems design, build, and implementation | Preventive | |
| Include the Evaluation Assurance Levels in the system design specification. CC ID 04561 | Systems design, build, and implementation | Preventive | |
| Establish and maintain system security documentation. CC ID 06271 | Systems design, build, and implementation | Preventive | |
| Document the procedures and environment used to create the system or software. CC ID 06609 | Systems design, build, and implementation | Preventive | |
| Establish and maintain a coding manual for secure coding techniques. CC ID 11863 | Systems design, build, and implementation | Preventive | |
| Include all confidentiality, integrity, and availability functions in the system design specification. CC ID 04556 | Systems design, build, and implementation | Preventive | |
| Include the relationships and dependencies between modules in the system design specification. CC ID 04559 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain a security policy model document. CC ID 04560 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain system testing procedures. CC ID 11744 | Systems design, build, and implementation | Preventive | |
| Evaluate and document all known code anomalies and code deficiencies. CC ID 06611 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain promoting the system to a production environment procedures. CC ID 01119 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 [Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows: 12.8] | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 | Third Party and supply chain oversight | Preventive | |
| Review and update all contracts, as necessary. CC ID 11612 | Third Party and supply chain oversight | Preventive | |
| Document and maintain supply chain processes. CC ID 08816 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain an exit plan. CC ID 15492 | Third Party and supply chain oversight | Preventive | |
| Include roles and responsibilities in the exit plan. CC ID 15497 | Third Party and supply chain oversight | Preventive | |
| Include contingency plans in the third party management plan. CC ID 10030 | Third Party and supply chain oversight | Preventive | |
| Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 | Third Party and supply chain oversight | Preventive | |
| Include a description of the product or service to be provided in third party contracts. CC ID 06509 | Third Party and supply chain oversight | Preventive | |
| Include a description of the products or services fees in third party contracts. CC ID 10018 | Third Party and supply chain oversight | Preventive | |
| Include which parties are responsible for which fees in third party contracts. CC ID 10019 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543 | Third Party and supply chain oversight | Preventive | |
| Include the type of information being transmitted in the information flow agreement. CC ID 14245 | Third Party and supply chain oversight | Preventive | |
| Include the security requirements in the information flow agreement. CC ID 14244 | Third Party and supply chain oversight | Preventive | |
| Include the interface characteristics in the information flow agreement. CC ID 14240 | Third Party and supply chain oversight | Preventive | |
| Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528 | Third Party and supply chain oversight | Preventive | |
| Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529 | Third Party and supply chain oversight | Preventive | |
| Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020 | Third Party and supply chain oversight | Preventive | |
| Include a description of the data or information to be covered in third party contracts. CC ID 06510 | Third Party and supply chain oversight | Preventive | |
| Include text about data ownership in third party contracts. CC ID 06502 | Third Party and supply chain oversight | Preventive | |
| Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 | Third Party and supply chain oversight | Preventive | |
| Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 | Third Party and supply chain oversight | Preventive | |
| Include the contract duration in third party contracts. CC ID 16221 | Third Party and supply chain oversight | Preventive | |
| Include roles and responsibilities in third party contracts. CC ID 13487 | Third Party and supply chain oversight | Preventive | |
| Include cryptographic keys in third party contracts. CC ID 16179 | Third Party and supply chain oversight | Preventive | |
| Include bankruptcy provisions in third party contracts. CC ID 16519 | Third Party and supply chain oversight | Preventive | |
| Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 | Third Party and supply chain oversight | Preventive | |
| Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 | Third Party and supply chain oversight | Preventive | |
| Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 | Third Party and supply chain oversight | Preventive | |
| Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 | Third Party and supply chain oversight | Preventive | |
| Include a reporting structure in third party contracts. CC ID 06532 | Third Party and supply chain oversight | Preventive | |
| Include points of contact in third party contracts. CC ID 12355 | Third Party and supply chain oversight | Preventive | |
| Include financial reporting in third party contracts, as necessary. CC ID 13573 | Third Party and supply chain oversight | Preventive | |
| Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512 | Third Party and supply chain oversight | Preventive | |
| Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 | Third Party and supply chain oversight | Preventive | |
| Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516 | Third Party and supply chain oversight | Preventive | |
| Include an indemnification and liability clause in third party contracts. CC ID 06517 | Third Party and supply chain oversight | Preventive | |
| Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521 | Third Party and supply chain oversight | Preventive | |
| Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522 | Third Party and supply chain oversight | Preventive | |
| Include text regarding foreign-based third parties in third party contracts. CC ID 06722 | Third Party and supply chain oversight | Preventive | |
| Include change control clauses in third party contracts, as necessary. CC ID 06523 | Third Party and supply chain oversight | Preventive | |
| Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115 | Third Party and supply chain oversight | Preventive | |
| Include triggers for renegotiating the contract in third party contracts. CC ID 06527 | Third Party and supply chain oversight | Preventive | |
| Include change control notification processes in third party contracts. CC ID 06524 | Third Party and supply chain oversight | Preventive | |
| Include cost structure changes in third party contracts. CC ID 10021 | Third Party and supply chain oversight | Preventive | |
| Include a choice of venue clause in third party contracts. CC ID 06520 | Third Party and supply chain oversight | Preventive | |
| Include a dispute resolution clause in third party contracts. CC ID 06519 | Third Party and supply chain oversight | Preventive | |
| Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 | Third Party and supply chain oversight | Preventive | |
| Include a termination provision clause in third party contracts. CC ID 01367 | Third Party and supply chain oversight | Detective | |
| Include early termination contingency plans in the third party contracts. CC ID 06526 | Third Party and supply chain oversight | Preventive | |
| Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817 | Third Party and supply chain oversight | Preventive | |
| Include termination costs in third party contracts. CC ID 10023 | Third Party and supply chain oversight | Preventive | |
| Include text about obtaining adequate insurance in third party contracts. CC ID 06880 | Third Party and supply chain oversight | Preventive | |
| Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 | Third Party and supply chain oversight | Preventive | |
| Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 | Third Party and supply chain oversight | Preventive | |
| Include end-of-life information in third party contracts. CC ID 15265 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain third party transaction authentication procedures. CC ID 00791 | Third Party and supply chain oversight | Preventive | |
| Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 | Third Party and supply chain oversight | Preventive | |
| Include requirements for alternate processing facilities in third party contracts. CC ID 13059 | Third Party and supply chain oversight | Preventive | |
| Document the organization's supply chain in the supply chain management program. CC ID 09958 | Third Party and supply chain oversight | Preventive | |
| Document supply chain dependencies in the supply chain management program. CC ID 08900 | Third Party and supply chain oversight | Detective | |
| Establish and maintain a Third Party Service Provider list. CC ID 12480 | Third Party and supply chain oversight | Preventive | |
| Include required information in the Third Party Service Provider list. CC ID 14429 | Third Party and supply chain oversight | Preventive | |
| Include subcontractors in the Third Party Service Provider list. CC ID 14425 | Third Party and supply chain oversight | Preventive | |
| Include alternate service providers in the Third Party Service Provider list. CC ID 14420 | Third Party and supply chain oversight | Preventive | |
| Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430 | Third Party and supply chain oversight | Preventive | |
| Include all contract dates in the Third Party Service Provider list. CC ID 14421 | Third Party and supply chain oversight | Preventive | |
| Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481 | Third Party and supply chain oversight | Preventive | |
| Include criticality of services in the Third Party Service Provider list. CC ID 14428 | Third Party and supply chain oversight | Preventive | |
| Include a description of data used in the Third Party Service Provider list. CC ID 14427 | Third Party and supply chain oversight | Preventive | |
| Include the location of services provided in the Third Party Service Provider list. CC ID 14423 | Third Party and supply chain oversight | Preventive | |
| Document the supply chain's critical paths in the supply chain management program. CC ID 10032 | Third Party and supply chain oversight | Preventive | |
| Establish and maintain supply chain manufacturing and integration requirements documents for all items being produced for the organization. CC ID 11558 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain Operational Level Agreements. CC ID 13637 | Third Party and supply chain oversight | Preventive | |
| Include technical processes in operational level agreements, as necessary. CC ID 13639 | Third Party and supply chain oversight | Preventive | |
| Monitor and report on the efficacy of all Service Level Agreements using a Service Level Agreement Monitoring Chart or equivalent. CC ID 00842 | Third Party and supply chain oversight | Detective | |
| Approve all Service Level Agreements. CC ID 00843 | Third Party and supply chain oversight | Detective | |
| Document all chargeable items in Service Level Agreements. CC ID 00844 | Third Party and supply chain oversight | Detective | |
| Categorize all suppliers in the supply chain management program. CC ID 00792 | Third Party and supply chain oversight | Preventive | |
| Include risk management procedures in the supply chain management policy. CC ID 08811 | Third Party and supply chain oversight | Preventive | |
| Include a determination of financial benefits over actual costs of third party relationships in the supply chain risk assessment report. CC ID 10025 | Third Party and supply chain oversight | Preventive | |
| Include a determination of how third party relationships affect strategic initiatives in the supply chain risk assessment report. CC ID 10026 | Third Party and supply chain oversight | Preventive | |
| Include a determination of customer interactions with third parties in the supply chain risk assessment report. CC ID 10028 | Third Party and supply chain oversight | Preventive | |
| Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain a supply chain management policy. CC ID 08808 | Third Party and supply chain oversight | Preventive | |
| Include supplier assessment principles in the supply chain management policy. CC ID 08809 | Third Party and supply chain oversight | Preventive | |
| Include the third party selection process in the supply chain management policy. CC ID 13132 | Third Party and supply chain oversight | Preventive | |
| Select suppliers based on their qualifications. CC ID 00795 | Third Party and supply chain oversight | Preventive | |
| Include refraining from depending on any individual third party in the supply chain management policy. CC ID 13133 | Third Party and supply chain oversight | Preventive | |
| Include a clear management process in the supply chain management policy. CC ID 08810 | Third Party and supply chain oversight | Preventive | |
| Include roles and responsibilities in the supply chain management policy. CC ID 15499 | Third Party and supply chain oversight | Preventive | |
| Include third party due diligence standards in the supply chain management policy. CC ID 08812 | Third Party and supply chain oversight | Preventive | |
| Require suppliers to commit to the supply chain management policy. CC ID 08813 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain a conflict minerals policy. CC ID 08943 | Third Party and supply chain oversight | Preventive | |
| Include a statement of avoided areas from receiving minerals in the conflict minerals policy. CC ID 08944 | Third Party and supply chain oversight | Preventive | |
| Include all in scope materials in the conflict minerals policy. CC ID 08945 | Third Party and supply chain oversight | Preventive | |
| Include adherence to international transportation regulations in the conflict minerals policy. CC ID 08946 | Third Party and supply chain oversight | Preventive | |
| Include all applicable authority documents in the conflict minerals policy. CC ID 08947 | Third Party and supply chain oversight | Preventive | |
| Disseminate and communicate the conflict minerals policy to all interested personnel and affected parties. CC ID 08948 | Third Party and supply chain oversight | Preventive | |
| Establish and maintain a conflict materials report. CC ID 08823 | Third Party and supply chain oversight | Preventive | |
| Define documentation requirements for each potential conflict material's source of origin. CC ID 08820 | Third Party and supply chain oversight | Preventive | |
| Define documentation requirements for smelted minerals and legacy refined materials sources of origin. CC ID 08821 | Third Party and supply chain oversight | Preventive | |
| Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888 [Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity. 12.8.5] | Third Party and supply chain oversight | Detective | |
| Include the audit scope in the third party external audit report. CC ID 13138 | Third Party and supply chain oversight | Preventive | |
| Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063 | Third Party and supply chain oversight | Detective | |
| Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065 | Third Party and supply chain oversight | Detective | |
Human Resources Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Assign roles and responsibilities for overseeing access to restricted data or restricted information. CC ID 11950 [Formally assign information security responsibilities for: Monitor and control all access to data. 12.5.5] | Monitoring and measurement | Detective | |
| Employ third parties to carry out testing programs, as necessary. CC ID 13178 | Monitoring and measurement | Preventive | |
| Align disciplinary actions with the level of compliance violation. CC ID 12404 | Monitoring and measurement | Preventive | |
| Define roles for information systems. CC ID 12454 | Technical security | Preventive | |
| Define access needs for each role assigned to an information system. CC ID 12455 | Technical security | Preventive | |
| Change authenticators after personnel status changes. CC ID 12284 | Technical security | Preventive | |
| Assign roles and responsibilities for administering user account management. CC ID 11900 [Formally assign information security responsibilities for: Administer user accounts, including additions, deletions, and modifications. 12.5.4] | Technical security | Preventive | |
| Require multiple forms of personal identification prior to issuing user identifiers. CC ID 08712 | Technical security | Preventive | |
| Require key custodians to sign the key custodian's roles and responsibilities. CC ID 11820 [Include in the cryptographic key management procedures Requirement for cryptographic key custodians to formally acknowledge that they understand and accept their key-custodian responsibilities. 3.6.8] | Technical security | Preventive | |
| Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030 | Physical and environmental protection | Preventive | |
| Direct each employee to be responsible for their identification card or badge. CC ID 12332 | Physical and environmental protection | Preventive | |
| Assign employees the responsibility for controlling their identification badges. CC ID 12333 | Physical and environmental protection | Preventive | |
| Perform a background check during personnel screening. CC ID 11758 [Screen potential personnel prior to hire to minimize the risk of attacks from internal sources. (Examples of background checks include previous employment history, criminal record, credit history, and reference checks.) 12.7] | Human Resources management | Detective | |
| Perform a personal identification check during personnel screening. CC ID 06721 | Human Resources management | Preventive | |
| Perform a personal references check during personnel screening. CC ID 06645 | Human Resources management | Preventive | |
| Perform a credit check during personnel screening. CC ID 06646 | Human Resources management | Preventive | |
| Perform a resume check during personnel screening. CC ID 06659 | Human Resources management | Preventive | |
| Perform a curriculum vitae check during personnel screening. CC ID 06660 | Human Resources management | Preventive | |
| Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 | Human Resources management | Preventive | |
| Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 | Human Resources management | Preventive | |
| Encourage interested personnel to obtain security certification. CC ID 11804 | Human Resources management | Preventive | |
| Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523 | Operational management | Preventive | |
| Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524 | Operational management | Preventive | |
| Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 [Formally assign information security responsibilities for: Establish, document, and distribute security policies and procedures. 12.5.1] | Operational management | Preventive | |
| Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 [Formally assign information security responsibilities for: Establish, document, and distribute security policies and procedures. 12.5.1] | Operational management | Preventive | |
| Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344 | Operational management | Preventive | |
| Assign the distribution of security alerts to the appropriate role in the incident response program. CC ID 11887 [Formally assign information security responsibilities for: Monitor and analyze security alerts and information, and distribute to appropriate personnel. 12.5.2] | Operational management | Preventive | |
| Assign senior management to approve the cost benefit analysis in the feasibility study. CC ID 13069 | Systems design, build, and implementation | Preventive | |
| Assign appropriate parties to approve the system design specification. CC ID 13070 | Systems design, build, and implementation | Preventive | |
| Require third parties to employ a Chief Information Security Officer. CC ID 12057 | Third Party and supply chain oversight | Preventive | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Technical security CC ID 00508 | Technical security | IT Impact Zone | |
| Physical and environmental protection CC ID 00709 | Physical and environmental protection | IT Impact Zone | |
| Operational and Systems Continuity CC ID 00731 | Operational and Systems Continuity | IT Impact Zone | |
| Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| System hardening through configuration management CC ID 00860 | System hardening through configuration management | IT Impact Zone | |
| Records management CC ID 00902 | Records management | IT Impact Zone | |
| Systems design, build, and implementation CC ID 00989 | Systems design, build, and implementation | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Investigate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925 [Follow up exceptions and anomalies identified during the review process. 10.6.3] | Monitoring and measurement | Corrective | |
| Monitor and evaluate the effectiveness of detection tools. CC ID 13505 | Monitoring and measurement | Detective | |
| Determine if high rates of retail payment activities are from Originating Depository Financial Institutions. CC ID 13546 | Monitoring and measurement | Detective | |
| Review retail payment service reports, as necessary. CC ID 13545 | Monitoring and measurement | Detective | |
| Rank discovered vulnerabilities. CC ID 11940 [Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities. 6.1] | Monitoring and measurement | Detective | |
| Determine the causes of compliance violations. CC ID 12401 | Monitoring and measurement | Corrective | |
| Determine if multiple compliance violations of the same type could occur. CC ID 12402 | Monitoring and measurement | Detective | |
| Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 | Monitoring and measurement | Detective | |
| Scan for malicious code, as necessary. CC ID 11941 [Ensure that all anti-virus mechanisms are maintained as follows: - Are kept current, - Perform periodic scans - Generate audit logs which are retained per PCI DSS Requirement 10.7. 5.2] | Technical security | Detective | |
| Inspect device surfaces to detect tampering. CC ID 11868 [Periodically inspect device surfaces to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device). 9.9.2] | Physical and environmental protection | Detective | |
| Inspect device surfaces to detect unauthorized substitution. CC ID 11869 [Periodically inspect device surfaces to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device). 9.9.2] | Physical and environmental protection | Detective | |
| Detect anomalies in physical barriers. CC ID 13533 | Physical and environmental protection | Detective | |
| Report anomalies in the visitor log to appropriate personnel. CC ID 14755 | Physical and environmental protection | Detective | |
| Inspect mobile devices for the storage of restricted data or restricted information. CC ID 08707 | Physical and environmental protection | Detective | |
| Perform social network analysis, as necessary. CC ID 14864 | Operational management | Detective | |
| Assign monitoring and analyzing the security alert when a security alert is received to the appropriate role in the incident response program. CC ID 11886 [Formally assign information security responsibilities for: Monitor and analyze security alerts and information, and distribute to appropriate personnel. 12.5.2] | Operational management | Detective | |
| Protect devices containing digital forensic evidence during transport. CC ID 08687 | Operational management | Detective | |
| Protect devices containing digital forensic evidence in sealed containers. CC ID 08685 | Operational management | Detective | |
| Conduct forensic investigations in the event of a security compromise. CC ID 11951 [Enable processes to provide for timely forensic investigation in the event of a compromise to any hosted merchant or service provider. A.1.4] | Operational management | Corrective | |
| Identify potential sources of digital forensic evidence. CC ID 08651 | Operational management | Preventive | |
| Prepare digital forensic equipment. CC ID 08688 | Operational management | Detective | |
| Use digital forensic equipment suitable to the circumstances. CC ID 08690 | Operational management | Detective | |
| Provide relevant user manuals for digital forensic equipment during use. CC ID 08691 | Operational management | Detective | |
| Maintain digital forensic equipment for proper performance. CC ID 08689 | Operational management | Detective | |
| Refrain from altering the state of compromised systems when collecting digital forensic evidence. CC ID 08671 | Operational management | Detective | |
| Follow all applicable laws and principles when collecting digital forensic evidence. CC ID 08672 | Operational management | Detective | |
| Remove everyone except interested personnel and affected parties from the proximity of digital forensic evidence. CC ID 08675 | Operational management | Detective | |
| Secure devices containing digital forensic evidence. CC ID 08681 | Operational management | Detective | |
| Use a write blocker to prevent digital forensic evidence from being modified. CC ID 08692 | Operational management | Detective | |
| Capture volatile information from devices containing digital forensic evidence prior to shutdown. CC ID 08684 | Operational management | Detective | |
| Create a system image of the device before collecting digital forensic evidence. CC ID 08673 | Operational management | Detective | |
| Shut down stand alone devices containing digital forensic evidence. CC ID 08682 | Operational management | Detective | |
| Disconnect electronic media storage devices of systems containing digital forensic evidence. CC ID 08697 | Operational management | Detective | |
| Place evidence tape over devices containing digital forensic evidence. CC ID 08683 | Operational management | Detective | |
Log Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain logging and monitoring operations. CC ID 00637 [Implement audit trails to link all access to system components to each individual user. 10.1] | Monitoring and measurement | Detective | |
| Enable monitoring and logging operations on all assets that meet the organizational criteria to maintain event logs. CC ID 06312 | Monitoring and measurement | Preventive | |
| Document and communicate the log locations to the owning entity. CC ID 12047 | Monitoring and measurement | Preventive | |
| Make logs available for review by the owning entity. CC ID 12046 | Monitoring and measurement | Preventive | |
| Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 | Monitoring and measurement | Detective | |
| Establish, implement, and maintain event logging procedures. CC ID 01335 | Monitoring and measurement | Detective | |
| Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643 | Monitoring and measurement | Preventive | |
| Protect the event logs from failure. CC ID 06290 | Monitoring and measurement | Preventive | |
| Review and update event logs and audit logs, as necessary. CC ID 00596 [Review logs and security events for all system components to identify anomalies or suspicious activity. 10.6 Review logs of all other system components periodically based on the organization’s policies and risk management strategy, as determined by the organization’s annual risk assessment. 10.6.2 Review the following at least daily: - All security events - Logs of all system components that store, process, or transmit CHD and/or SAD - Logs of all critical system components - Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.). 10.6.1 Review the following at least daily: - All security events - Logs of all system components that store, process, or transmit CHD and/or SAD - Logs of all critical system components - Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.). 10.6.1 Review the following at least daily: - All security events - Logs of all system components that store, process, or transmit CHD and/or SAD - Logs of all critical system components - Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.). 10.6.1 Review the following at least daily: - All security events - Logs of all system components that store, process, or transmit CHD and/or SAD - Logs of all critical system components - Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.). 10.6.1] | Monitoring and measurement | Detective | |
| Eliminate false positives in event logs and audit logs. CC ID 07047 | Monitoring and measurement | Corrective | |
| Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207 | Monitoring and measurement | Detective | |
| Reproduce the event log if a log failure is captured. CC ID 01426 | Monitoring and measurement | Preventive | |
| Enable logging for all systems that meet a traceability criteria. CC ID 00640 [Ensure logging and audit trails are enabled and unique to each entity’s cardholder data environment and consistent with PCI DSS Requirement 10. A.1.3] | Monitoring and measurement | Detective | |
| Analyze firewall logs for the correct capturing of data. CC ID 00549 | Monitoring and measurement | Detective | |
| Define the frequency to capture and log events. CC ID 06313 | Monitoring and measurement | Preventive | |
| Include logging frequencies in the event logging procedures. CC ID 00642 | Monitoring and measurement | Preventive | |
| Log account usage to determine dormant accounts. CC ID 12118 | Monitoring and measurement | Detective | |
| Log account usage times. CC ID 07099 | Monitoring and measurement | Detective | |
| Log Internet Protocol addresses used during logon. CC ID 07100 | Monitoring and measurement | Detective | |
| Establish, implement, and maintain a Security Information and Event Management metrics program. CC ID 02078 | Monitoring and measurement | Preventive | |
| Report on the percentage of systems for which event logging has been implemented. CC ID 02102 | Monitoring and measurement | Detective | |
| Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103 | Monitoring and measurement | Detective | |
| Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104 | Monitoring and measurement | Detective | |
| Restrict access to logs to authorized individuals. CC ID 01342 | Monitoring and measurement | Preventive | |
| Refrain from recording unnecessary restricted data in logs. CC ID 06318 | Monitoring and measurement | Preventive | |
| Back up logs according to backup procedures. CC ID 01344 | Monitoring and measurement | Preventive | |
| Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346 [Write logs for external-facing technologies onto a secure, centralized, internal log server or media device. 10.5.4] | Monitoring and measurement | Preventive | |
| Identify hosts with logs that are not being stored. CC ID 06314 | Monitoring and measurement | Preventive | |
| Identify hosts with logs that are being stored at the system level only. CC ID 06315 | Monitoring and measurement | Preventive | |
| Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316 | Monitoring and measurement | Preventive | |
| Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317 | Monitoring and measurement | Preventive | |
| Protect logs from unauthorized activity. CC ID 01345 [Secure audit trails so they cannot be altered. 10.5 Protect audit trail files from unauthorized modifications. 10.5.2] | Monitoring and measurement | Preventive | |
| Perform testing and validating activities on all logs. CC ID 06322 | Monitoring and measurement | Preventive | |
| Archive the audit trail in accordance with compliance requirements. CC ID 00674 [Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup). 10.7] | Monitoring and measurement | Preventive | |
| Preserve the identity of individuals in audit trails. CC ID 10594 | Monitoring and measurement | Preventive | |
| Establish and maintain a visitor log. CC ID 00715 [A visitor log is used to maintain a physical audit trail of visitor activity to the facility as well as computer rooms and data centers where cardholder data is stored or transmitted. Document the visitor’s name, the firm represented, and the onsite personnel authorizing physical access on the log. Retain this log for a minimum of three months, unless otherwise restricted by law. 9.4.4] | Physical and environmental protection | Preventive | |
| Record the visitor's name in the visitor log. CC ID 00557 [A visitor log is used to maintain a physical audit trail of visitor activity to the facility as well as computer rooms and data centers where cardholder data is stored or transmitted. Document the visitor’s name, the firm represented, and the onsite personnel authorizing physical access on the log. Retain this log for a minimum of three months, unless otherwise restricted by law. 9.4.4] | Physical and environmental protection | Preventive | |
| Record the visitor's organization in the visitor log. CC ID 12121 | Physical and environmental protection | Preventive | |
| Record the visitor's acceptable access areas in the visitor log. CC ID 12237 | Physical and environmental protection | Preventive | |
| Retain all records in the visitor log as prescribed by law. CC ID 00572 [A visitor log is used to maintain a physical audit trail of visitor activity to the facility as well as computer rooms and data centers where cardholder data is stored or transmitted. Document the visitor’s name, the firm represented, and the onsite personnel authorizing physical access on the log. Retain this log for a minimum of three months, unless otherwise restricted by law. 9.4.4] | Physical and environmental protection | Preventive | |
| Log the entrance of a staff member to a facility or designated rooms within the facility. CC ID 01641 | Physical and environmental protection | Preventive | |
| Log when the vault is accessed. CC ID 06725 | Physical and environmental protection | Detective | |
| Log when the cabinet is accessed. CC ID 11674 | Physical and environmental protection | Detective | |
| Store facility access logs in off-site storage. CC ID 06958 | Physical and environmental protection | Preventive | |
| Log the transiting, internal distribution, and external distribution of restricted storage media. CC ID 12321 | Physical and environmental protection | Preventive | |
| Log the transfer of removable storage media. CC ID 12322 | Physical and environmental protection | Preventive | |
| Maintain records of all system components entering and exiting the facility. CC ID 14304 | Physical and environmental protection | Preventive | |
| Verify the log file configured to capture critical sendmail messages is owned by an appropriate user or group. CC ID 05319 | System hardening through configuration management | Preventive | |
| Configure the log to capture audit log initialization, along with auditable event selection. CC ID 00649 [Configure the audit log to capture Initialization, stopping, or pausing of the audit logs 10.2.6] | System hardening through configuration management | Detective | |
| Configure the log to capture each auditable event's origination. CC ID 01338 [Configure the audit log to capture the following event for all system components: Origination of event 10.3.5] | System hardening through configuration management | Detective | |
| Configure the log to capture logons, logouts, logon attempts, and logout attempts. CC ID 01915 [Configure the audit log to capture Invalid logical access attempts 10.2.4] | System hardening through configuration management | Detective | |
| Configure the log to capture access to restricted data or restricted information. CC ID 00644 [Configure the audit log to capture All individual user accesses to cardholder data 10.2.1] | System hardening through configuration management | Detective | |
| Configure the log to capture actions taken by individuals with root privileges or administrative privileges and add logging option to the root file system. CC ID 00645 [{root privileges} Configure the audit log to capture All actions taken by any individual with root or administrative privileges 10.2.2] | System hardening through configuration management | Detective | |
| Configure the log to capture identification and authentication mechanism use. CC ID 00648 [{root privileges} Configure the audit log to capture Use of and changes to identification and authentication mechanisms—including but not limited to creation of new accounts and elevation of privileges—and all changes, additions, or deletions to accounts with root or administrative privileges 10.2.5] | System hardening through configuration management | Detective | |
| Configure the log to capture all access to the audit trail. CC ID 00646 [Configure the audit log to capture Access to all audit trails 10.2.3] | System hardening through configuration management | Detective | |
| Configure the log to capture Object access to key directories or key files. CC ID 01697 | System hardening through configuration management | Detective | |
| Configure the log to capture system level object creation and deletion. CC ID 00650 [Configure the audit log to capture Creation and deletion of system-level objects 10.2.7] | System hardening through configuration management | Detective | |
| Configure the log to capture changes to User privileges, audit policies, and trust policies by enabling audit policy changes. CC ID 01698 [{root privileges} Configure the audit log to capture Use of and changes to identification and authentication mechanisms—including but not limited to creation of new accounts and elevation of privileges—and all changes, additions, or deletions to accounts with root or administrative privileges 10.2.5] | System hardening through configuration management | Detective | |
Maintenance | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Separate the production environment from development environment or test environment for the change control process. CC ID 11864 [The change control processes must include Separate development/test environments from production environments, and enforce the separation with access controls. 6.4.1] | Operational management | Preventive | |
Monitor and Evaluate Occurrences | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Analyze organizational objectives, functions, and activities. CC ID 00598 | Leadership and high level objectives | Preventive | |
| Monitor regulatory trends to maintain compliance. CC ID 00604 | Leadership and high level objectives | Detective | |
| Establish, implement, and maintain intrusion management operations. CC ID 00580 | Monitoring and measurement | Preventive | |
| Monitor systems for inappropriate usage and other security violations. CC ID 00585 [{intrusion-detection technique} {keep up to date} Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises. Keep all intrusion-detection and prevention engines, baselines, and signatures up to date. 11.4] | Monitoring and measurement | Detective | |
| Monitor systems for blended attacks and multiple component incidents. CC ID 01225 | Monitoring and measurement | Detective | |
| Monitor systems for Denial of Service attacks. CC ID 01222 | Monitoring and measurement | Detective | |
| Monitor systems for unauthorized data transfers. CC ID 12971 | Monitoring and measurement | Preventive | |
| Monitor systems for access to restricted data or restricted information. CC ID 04721 [Track and monitor all access to network resources and cardholder data Requirement 10] | Monitoring and measurement | Detective | |
| Detect unauthorized access to systems. CC ID 06798 | Monitoring and measurement | Detective | |
| Incorporate potential red flags into the organization's incident management system. CC ID 04652 | Monitoring and measurement | Detective | |
| Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. CC ID 06430 [{intrusion-detection technique} {keep up to date} Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises. Keep all intrusion-detection and prevention engines, baselines, and signatures up to date. 11.4] | Monitoring and measurement | Detective | |
| Alert interested personnel and affected parties when an incident causes an outage. CC ID 06808 | Monitoring and measurement | Detective | |
| Monitor systems for unauthorized mobile code. CC ID 10034 | Monitoring and measurement | Preventive | |
| Monitor and evaluate system performance. CC ID 00651 | Monitoring and measurement | Detective | |
| Monitor for and react to when suspicious activities are detected. CC ID 00586 | Monitoring and measurement | Detective | |
| Report a data loss event after a security incident is detected and there are indications that the unauthorized person has control of electronic information. CC ID 04727 | Monitoring and measurement | Corrective | |
| Report a data loss event after a security incident is detected and there are indications that the unauthorized person has control of printed records. CC ID 04728 | Monitoring and measurement | Corrective | |
| Report a data loss event after a security incident is detected and there are indications that the unauthorized person has accessed information in either paper or electronic form. CC ID 04740 | Monitoring and measurement | Corrective | |
| Report a data loss event after a security incident is detected and there are indications that the information has been or will likely be used in an unauthorized manner. CC ID 04729 | Monitoring and measurement | Corrective | |
| Report a data loss event after a security incident is detected and there are indications that the information has been or will likely be used in an unauthorized manner that could cause substantial economic impact. CC ID 04742 | Monitoring and measurement | Corrective | |
| Establish, implement, and maintain network monitoring operations. CC ID 16444 | Monitoring and measurement | Preventive | |
| Monitor and review retail payment activities, as necessary. CC ID 13541 | Monitoring and measurement | Detective | |
| Establish, implement, and maintain an automated configuration monitoring system. CC ID 07058 | Monitoring and measurement | Detective | |
| Monitor for and report when a software configuration is updated. CC ID 06746 | Monitoring and measurement | Detective | |
| Notify the appropriate personnel when the software configuration is updated absent authorization. CC ID 04886 | Monitoring and measurement | Detective | |
| Monitor for firmware updates absent authorization. CC ID 10675 | Monitoring and measurement | Detective | |
| Implement file integrity monitoring. CC ID 01205 [{file integrity monitoring software} Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). 10.5.5 Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly. 11.5] | Monitoring and measurement | Detective | |
| Monitor for software configurations updates absent authorization. CC ID 10676 | Monitoring and measurement | Preventive | |
| Monitor for when documents are being updated absent authorization. CC ID 10677 | Monitoring and measurement | Preventive | |
| Monitor and evaluate user account activity. CC ID 07066 | Monitoring and measurement | Detective | |
| Generate daily reports of user logons during hours outside of their usage profile. CC ID 07068 | Monitoring and measurement | Detective | |
| Generate daily reports of users who have grossly exceeded their usage profile logon duration. CC ID 07069 | Monitoring and measurement | Detective | |
| Log account usage durations. CC ID 12117 | Monitoring and measurement | Detective | |
| Report red flags when logon credentials are used on a computer different from the one in the usage profile. CC ID 07070 | Monitoring and measurement | Detective | |
| Monitor the organization's exposure to threats, as necessary. CC ID 06494 [Implement a methodology for penetration testing that includes the following: - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes testing to validate any segmentation and scope-reduction controls - Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 - Defines network-layer penetration tests to include components that support network functions as well as operating systems - Includes review and consideration of threats and vulnerabilities experienced in the last 12 months - Specifies retention of penetration testing results and remediation activities results. 11.3] | Monitoring and measurement | Preventive | |
| Monitor and evaluate environmental threats. CC ID 13481 | Monitoring and measurement | Detective | |
| Monitor for new vulnerabilities. CC ID 06843 [Implement a methodology for penetration testing that includes the following: - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes testing to validate any segmentation and scope-reduction controls - Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 - Defines network-layer penetration tests to include components that support network functions as well as operating systems - Includes review and consideration of threats and vulnerabilities experienced in the last 12 months - Specifies retention of penetration testing results and remediation activities results. 11.3] | Monitoring and measurement | Preventive | |
| Alert appropriate personnel when rogue devices are discovered on the network. CC ID 06428 | Monitoring and measurement | Corrective | |
| Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 [Maintain a program to monitor service providers’ PCI DSS compliance status at least annually. 12.8.4] | Monitoring and measurement | Detective | |
| Establish, implement, and maintain compliance program metrics. CC ID 11625 | Monitoring and measurement | Preventive | |
| Enforce information flow control. CC ID 11781 | Technical security | Preventive | |
| Monitor and evaluate all remote access usage. CC ID 00563 [Manage IDs used by vendors to access, support, or maintain system components via remote access as follows: - Enabled only during the time period needed and disabled when not in use. - Monitored when in use. 8.1.5] | Technical security | Detective | |
| Log and react to all malicious code activity. CC ID 07072 | Technical security | Detective | |
| Establish, implement, and maintain an anti-tamper protection program. CC ID 10638 | Physical and environmental protection | Detective | |
| Monitor for evidence of when tampering indicators are being identified. CC ID 11905 | Physical and environmental protection | Detective | |
| Inspect for tampering, as necessary. CC ID 10640 | Physical and environmental protection | Detective | |
| Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747 | Physical and environmental protection | Preventive | |
| Monitor for unauthorized physical access at physical entry points and physical exit points. CC ID 01638 [Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment. 9.1] | Physical and environmental protection | Detective | |
| Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675 | Physical and environmental protection | Preventive | |
| Observe restricted areas with motion detectors or closed-circuit television systems. CC ID 01328 [{video event} Use video cameras and/or access control mechanisms to monitor individual physical access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law. 9.1.1] | Physical and environmental protection | Detective | |
| Review and correlate all data collected from video cameras and/or access control mechanisms with other entries. CC ID 11609 [{video event} Use video cameras and/or access control mechanisms to monitor individual physical access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law. 9.1.1] | Physical and environmental protection | Detective | |
| Evaluate and react to when unauthorized access is detected by physical entry point alarms. CC ID 11677 | Physical and environmental protection | Detective | |
| Monitor for alarmed security doors being propped open. CC ID 06684 | Physical and environmental protection | Detective | |
| Monitor the location of distributed assets. CC ID 11684 | Physical and environmental protection | Detective | |
| Log an incident if unauthorized restricted data or unauthorized restricted information is discovered on a mobile device. CC ID 08708 | Physical and environmental protection | Corrective | |
| Monitor and measure the effectiveness of security awareness. CC ID 06262 | Human Resources management | Detective | |
| Monitor and review the effectiveness of the information security program. CC ID 12744 | Operational management | Preventive | |
| Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052 | Operational management | Corrective | |
| Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053 | Operational management | Corrective | |
| Respond to and triage when an incident is detected. CC ID 06942 | Operational management | Detective | |
| Supervise and monitor outsourced development projects. CC ID 01096 | Systems design, build, and implementation | Detective | |
| Include anti-tamper technologies and anti-tamper techniques in the system design specification. CC ID 10639 | Systems design, build, and implementation | Detective | |
Physical and Environmental Protection | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Analyze and evaluate engineering systems. CC ID 13080 | Physical and environmental protection | Preventive | |
| Analyze and evaluate facilities and their structural elements. CC ID 13079 | Physical and environmental protection | Preventive | |
| Analyze and evaluate mechanical systems, as necessary. CC ID 13078 | Physical and environmental protection | Preventive | |
| Protect assets from tampering or unapproved substitution. CC ID 11902 [Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution. 9.9] | Physical and environmental protection | Preventive | |
| Protect the facility from crime. CC ID 06347 | Physical and environmental protection | Preventive | |
| Protect facilities from eavesdropping. CC ID 02222 | Physical and environmental protection | Preventive | |
| Inspect telephones for eavesdropping devices. CC ID 02223 | Physical and environmental protection | Detective | |
| Hold conferences requiring sensitive information discussions in spaces that have commensurate security. CC ID 11440 | Physical and environmental protection | Preventive | |
| Provide one-time meeting support for discussions involving Top Secret information. CC ID 11441 | Physical and environmental protection | Preventive | |
| Create security zones in facilities, as necessary. CC ID 16295 | Physical and environmental protection | Preventive | |
| Establish clear zones around any sensitive facilities. CC ID 02214 | Physical and environmental protection | Preventive | |
| Inspect items brought into the facility. CC ID 06341 | Physical and environmental protection | Preventive | |
| Maintain all physical security systems. CC ID 02206 | Physical and environmental protection | Preventive | |
| Maintain all security alarm systems. CC ID 11669 | Physical and environmental protection | Preventive | |
| Control physical access to (and within) the facility. CC ID 01329 [Control physical access for onsite personnel to sensitive areas as follows: - Access must be authorized and based on individual job function. - Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled. 9.3] | Physical and environmental protection | Preventive | |
| Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419 | Physical and environmental protection | Preventive | |
| Secure physical entry points with physical access controls or security guards. CC ID 01640 | Physical and environmental protection | Detective | |
| Configure the access control system to grant access only during authorized working hours. CC ID 12325 | Physical and environmental protection | Preventive | |
| Check the visitor's stated identity against a provided government issued identification. CC ID 06701 | Physical and environmental protection | Preventive | |
| Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463 [Develop procedures to easily distinguish between onsite personnel and visitors, to include: - Identifying onsite personnel and visitors (for example, assigning badges) - Changes to access requirements - Revoking or terminating onsite personnel and expired visitor identification (such as ID badges). 9.2] | Physical and environmental protection | Corrective | |
| Issue photo identification badges to all employees. CC ID 12326 | Physical and environmental protection | Preventive | |
| Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334 | Physical and environmental protection | Preventive | |
| Manage visitor identification inside the facility. CC ID 11670 | Physical and environmental protection | Preventive | |
| Secure unissued visitor identification badges. CC ID 06712 | Physical and environmental protection | Preventive | |
| Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331 | Physical and environmental protection | Preventive | |
| Restrict access to the badge system to authorized personnel. CC ID 12043 | Physical and environmental protection | Preventive | |
| Enforce dual control for badge assignments. CC ID 12328 | Physical and environmental protection | Preventive | |
| Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327 | Physical and environmental protection | Preventive | |
| Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282 | Physical and environmental protection | Preventive | |
| Prevent tailgating through physical entry points. CC ID 06685 | Physical and environmental protection | Preventive | |
| Use locks to protect against unauthorized physical access. CC ID 06342 | Physical and environmental protection | Preventive | |
| Install and maintain security lighting at all physical entry points. CC ID 02205 | Physical and environmental protection | Preventive | |
| Use vandal resistant light fixtures for all security lighting. CC ID 16130 | Physical and environmental protection | Preventive | |
| Manage access to loading docks, unloading docks, and mail rooms. CC ID 02210 | Physical and environmental protection | Preventive | |
| Secure the loading dock with physical access controls or security guards. CC ID 06703 | Physical and environmental protection | Preventive | |
| Isolate loading areas from information processing facilities, if possible. CC ID 12028 | Physical and environmental protection | Preventive | |
| Screen incoming mail and deliveries. CC ID 06719 | Physical and environmental protection | Preventive | |
| Protect access to the facility's mechanical systems area. CC ID 02212 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain elevator security guidelines. CC ID 02232 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain stairwell security guidelines. CC ID 02233 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain glass opening security guidelines. CC ID 02234 | Physical and environmental protection | Preventive | |
| Establish a security room, if necessary. CC ID 00738 | Physical and environmental protection | Preventive | |
| Implement physical security standards for mainframe rooms or data centers. CC ID 00749 | Physical and environmental protection | Preventive | |
| Establish and maintain equipment security cages in a shared space environment. CC ID 06711 | Physical and environmental protection | Preventive | |
| Secure systems in lockable equipment cabinets, as necessary. CC ID 06716 | Physical and environmental protection | Preventive | |
| Lock all lockable equipment cabinets. CC ID 11673 | Physical and environmental protection | Detective | |
| Establish, implement, and maintain vault physical security standards. CC ID 02203 | Physical and environmental protection | Preventive | |
| Monitor physical entry point alarms. CC ID 01639 | Physical and environmental protection | Detective | |
| Build and maintain fencing, as necessary. CC ID 02235 | Physical and environmental protection | Preventive | |
| Implement security measures for all interior spaces that allow for any payment transactions. CC ID 06352 | Physical and environmental protection | Preventive | |
| Physically segregate business areas in accordance with organizational standards. CC ID 16718 | Physical and environmental protection | Preventive | |
| Design interior walls with sound absorbing materials as well as thermal resistant materials. CC ID 06372 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 | Physical and environmental protection | Preventive | |
| Use locked containers to transport non-digital media outside of controlled areas. CC ID 14286 | Physical and environmental protection | Preventive | |
| Restrict physical access to distributed assets. CC ID 11865 [{networking hardware} Restrict physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines. 9.1.3 {physical control} Implement physical and/or logical controls to restrict access to publicly accessible network jacks. 9.1.2] | Physical and environmental protection | Preventive | |
| House network hardware in lockable rooms or lockable equipment cabinets. CC ID 01873 | Physical and environmental protection | Preventive | |
| Protect electronic storage media with physical access controls. CC ID 00720 [Restrict physical access to cardholder data Requirement 9] | Physical and environmental protection | Preventive | |
| Protect physical assets with earthquake-resistant mechanisms. CC ID 06360 | Physical and environmental protection | Preventive | |
| Physically secure all electronic storage media that store restricted data or restricted information. CC ID 11664 [Protect stored cardholder data. Requirement 3 Physically secure all media. 9.5] | Physical and environmental protection | Preventive | |
| Store removable storage media containing restricted data or restricted information using electronic media storage cabinets or electronic media storage vaults. CC ID 00717 | Physical and environmental protection | Preventive | |
| Protect the combinations for all combination locks. CC ID 02199 | Physical and environmental protection | Preventive | |
| Establish and maintain eavesdropping protection for vaults. CC ID 02231 | Physical and environmental protection | Preventive | |
| Protect distributed assets against theft. CC ID 06799 | Physical and environmental protection | Preventive | |
| Control the delivery of assets through physical entry points and physical exit points. CC ID 01441 | Physical and environmental protection | Preventive | |
| Control the removal of assets through physical entry points and physical exit points. CC ID 11681 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain on-site physical controls for all distributed assets. CC ID 04820 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain off-site physical controls for all distributed assets. CC ID 04539 | Physical and environmental protection | Preventive | |
| Attach asset location technologies to distributed assets. CC ID 10626 | Physical and environmental protection | Detective | |
| Employ asset location technologies in accordance with applicable laws and regulations. CC ID 10627 | Physical and environmental protection | Preventive | |
| Unpair missing Bluetooth devices. CC ID 12428 | Physical and environmental protection | Corrective | |
| Secure workstations to desks with security cables. CC ID 04724 | Physical and environmental protection | Preventive | |
| Include the use of privacy filters in the mobile device security guidelines. CC ID 16452 | Physical and environmental protection | Preventive | |
| Refrain from responding to unsolicited Personal Identification Number requests. CC ID 12430 | Physical and environmental protection | Preventive | |
| Refrain from pairing Bluetooth devices in unsecured areas. CC ID 12429 | Physical and environmental protection | Preventive | |
| Separate systems that transmit, process, or store restricted data from those that do not by deploying physical access controls. CC ID 00722 | Physical and environmental protection | Preventive | |
| Secure system components from unauthorized viewing. CC ID 01437 | Physical and environmental protection | Preventive | |
| Identify customer property within the organizational facility. CC ID 06612 | Physical and environmental protection | Preventive | |
| Protect customer property under the care of the organization. CC ID 11685 | Physical and environmental protection | Preventive | |
| Provide storage media shelving capable of bearing all potential loads. CC ID 11400 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain proper aircraft security. CC ID 02213 | Physical and environmental protection | Preventive | |
| Establish parking requirements for vehicles. CC ID 02218 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain proper container security. CC ID 02208 | Physical and environmental protection | Preventive | |
| Inspect the physical integrity of all containers before loading the containers. CC ID 02209 | Physical and environmental protection | Detective | |
| Lock closable storage containers. CC ID 06307 | Physical and environmental protection | Preventive | |
| Control the issuance of payment cards. CC ID 06403 | Physical and environmental protection | Preventive | |
| Store non-issued payment cards in a lockable cabinet or safe. CC ID 06404 | Physical and environmental protection | Preventive | |
| Deliver payment cards to customers using secure methods. CC ID 06405 | Physical and environmental protection | Preventive | |
| Establish and maintain physical security of assets used for publicity. CC ID 06724 | Physical and environmental protection | Preventive | |
| Install and protect network cabling. CC ID 08624 | Physical and environmental protection | Preventive | |
| Install and protect fiber optic cable, as necessary. CC ID 08625 | Physical and environmental protection | Preventive | |
| Restrict fiber optic cables to carry only specific security classification traffic. CC ID 08628 | Physical and environmental protection | Preventive | |
| Restrict the length of fiber optic flying leads to 5 meters. CC ID 08639 | Physical and environmental protection | Detective | |
| Label fiber optic flying leads according to security classification of data being carried over the fiber optic cables. CC ID 08640 | Physical and environmental protection | Preventive | |
| Install network cable in a way that allows ease of inspecting. CC ID 08626 | Physical and environmental protection | Preventive | |
| Inspect network cabling at distances determined by security classification. CC ID 08644 | Physical and environmental protection | Detective | |
| Bundle network cables together at each inspection point by security classification of data being carried over that cable. CC ID 08649 | Physical and environmental protection | Preventive | |
| Label conduit according to security classification of data being carried over the network cable inside the conduit. CC ID 08630 | Physical and environmental protection | Preventive | |
| Label each end of a network cable run. CC ID 08632 | Physical and environmental protection | Preventive | |
| Terminate approved network cables on the patch panel. CC ID 08633 | Physical and environmental protection | Preventive | |
| Color code cables in accordance with organizational standards. CC ID 16422 | Physical and environmental protection | Preventive | |
| Prevent installing network cabling inside walls shared with third parties. CC ID 08648 | Physical and environmental protection | Preventive | |
| Install network cabling specifically for maintenance purposes. CC ID 10613 | Physical and environmental protection | Preventive | |
| Install and maintain network jacks and outlet boxes. CC ID 08635 | Physical and environmental protection | Preventive | |
| Color code outlet boxes in accordance with organizational standards. CC ID 16451 | Physical and environmental protection | Preventive | |
| Maintain wiring circuits and outlets that are separate from the computer room. CC ID 16142 | Physical and environmental protection | Preventive | |
| Implement physical controls to restrict access to publicly accessible network jacks. CC ID 11989 | Physical and environmental protection | Preventive | |
| Label network cabling outlet boxes. CC ID 08631 | Physical and environmental protection | Preventive | |
| Implement logical controls to enable network jacks, as necessary. CC ID 11934 [{physical control} Implement physical and/or logical controls to restrict access to publicly accessible network jacks. 9.1.2] | Physical and environmental protection | Preventive | |
| Identify network jacks by security classification according to security classification of data being carried over the cable. CC ID 08634 | Physical and environmental protection | Preventive | |
| Identify network cable faceplates by security classification according to security classification of data being carried over the cable. CC ID 08643 | Physical and environmental protection | Preventive | |
| Install and maintain network patch panels. CC ID 08636 | Physical and environmental protection | Preventive | |
| Separate network patch panels in different network cabinets according to security classification of data being carried over the cables. CC ID 08637 | Physical and environmental protection | Preventive | |
| Assign access to network patch panels on a need to know basis. CC ID 08638 | Physical and environmental protection | Preventive | |
| Encase network cabling in conduit or closed cable reticulation systems, as necessary. CC ID 08647 | Physical and environmental protection | Preventive | |
| Install conduit on walls connecting to network cable outlet boxes, as necessary. CC ID 08646 | Physical and environmental protection | Preventive | |
| Seal data conduit couplings and data conduit fitting bodies. CC ID 08629 | Physical and environmental protection | Preventive | |
| Install cable reticulation systems as close to the network cabinets as possible. CC ID 08642 | Physical and environmental protection | Preventive | |
| Partition cable bundles in cable reticulation systems by security classification of data being carried over the network cable. CC ID 08645 | Physical and environmental protection | Preventive | |
| Establish and maintain off-site electronic media storage facilities. CC ID 00957 | Operational and Systems Continuity | Preventive | |
| Protect clients' hosted environments. CC ID 11862 [Shared hosting providers must protect each entity’s hosted environment and cardholder data. 2.6] | Operational management | Preventive | |
| Conduct environmental surveys. CC ID 00690 | Operational management | Preventive | |
| Place printed records awaiting destruction into secure containers. CC ID 12464 [Shred, incinerate, or pulp hard-copy materials so that cardholder data cannot be reconstructed. Secure storage containers used for materials that are to be m_secondary-verb">destroyed. 9.8.1] | Records management | Preventive | |
| Destroy printed records so they cannot be reconstructed. CC ID 11779 [Shred, incinerate, or pulp hard-copy materials so that cardholder data cannot be reconstructed. Secure storage containers used for materials that are to be destroyed. 9.8.1] | Records management | Preventive | |
| Store manufacturing components in a controlled access area. CC ID 12256 | Systems design, build, and implementation | Preventive | |
| Disallow access to restricted information on machines used to manufacture authentication elements. CC ID 11561 | Third Party and supply chain oversight | Preventive | |
Process or Activity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Review and approve the use of continuous security management systems. CC ID 13181 | Monitoring and measurement | Preventive | |
| Include the correlation and analysis of information obtained during testing in the continuous monitoring program. CC ID 14250 | Monitoring and measurement | Detective | |
| Alert interested personnel and affected parties when an unauthorized modification to critical files is detected. CC ID 12045 | Monitoring and measurement | Preventive | |
| Identify risk management measures when testing in scope systems. CC ID 14960 | Monitoring and measurement | Detective | |
| Ensure protocols are free from injection flaws. CC ID 16401 | Monitoring and measurement | Preventive | |
| Approve the vulnerability management program. CC ID 15722 | Monitoring and measurement | Preventive | |
| Correct compliance violations. CC ID 13515 | Monitoring and measurement | Corrective | |
| Convert data into standard units before reporting metrics. CC ID 15507 | Monitoring and measurement | Corrective | |
| Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301 [The access control system must include Default “deny-all” setting. 7.2.3 Establish an access control system for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed. 7.2] | Technical security | Preventive | |
| Define the activation requirements for identification cards or badges. CC ID 06583 | Technical security | Preventive | |
| Disallow self-enrollment of biometric information. CC ID 11834 | Technical security | Preventive | |
| Include testing and approving all network connections through the firewall in the firewall and router configuration standard. CC ID 01270 [Include in the firewall and router configuration standard A formal process for approving and rimary-verb">testing all r:#F0BBBC;" class="term_primary-noun">network connections and changes to the firewall and router configurations 1.1.1 Include in the firewall and router configuration standard A formal process for approving and rimary-verb">testing all r:#F0BBBC;" class="term_primary-noun">network connections and changes to the firewall and router configurations 1.1.1] | Technical security | Detective | |
| Update application layer firewalls to the most current version. CC ID 12037 | Technical security | Preventive | |
| Define the asymmetric signature field for the CHUID container on identification cards or badges. CC ID 06584 | Technical security | Preventive | |
| Implement cryptographic operations and support functions on identification cards or badges. CC ID 06585 | Technical security | Preventive | |
| Define the format of the biometric data on identification cards or badges. CC ID 06586 | Technical security | Preventive | |
| Remove malware when malicious code is discovered. CC ID 13691 | Technical security | Corrective | |
| Implement physical identification processes. CC ID 13715 | Physical and environmental protection | Preventive | |
| Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717 | Physical and environmental protection | Preventive | |
| Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714 | Physical and environmental protection | Preventive | |
| Include identity proofing processes in the identification issuance procedures. CC ID 06597 | Physical and environmental protection | Preventive | |
| Prohibit assets from being taken off-site absent prior authorization. CC ID 12027 | Physical and environmental protection | Preventive | |
| Remote wipe any distributed asset reported lost or stolen. CC ID 12197 | Physical and environmental protection | Corrective | |
| Remove dormant systems from the network, as necessary. CC ID 13727 | Physical and environmental protection | Corrective | |
| Control physical access to network cables. CC ID 00723 | Physical and environmental protection | Preventive | |
| Include all residences in the criminal records check. CC ID 13306 | Human Resources management | Preventive | |
| Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915 | Operational management | Preventive | |
| Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895 | Operational management | Preventive | |
| Evaluate information sharing partners, as necessary. CC ID 12749 | Operational management | Preventive | |
| Review and approve access controls, as necessary. CC ID 13074 | Operational management | Detective | |
| Provide management direction and support for the information security program. CC ID 11999 | Operational management | Preventive | |
| Approve the information security policy at the organization's management level or higher. CC ID 11737 | Operational management | Preventive | |
| Define thresholds for approving information security activities in the information security program. CC ID 15702 | Operational management | Preventive | |
| Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Operational management | Preventive | |
| Provide support for information sharing activities. CC ID 15644 | Operational management | Preventive | |
| Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 | Operational management | Preventive | |
| Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 | Operational management | Preventive | |
| Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 | Operational management | Preventive | |
| Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 | Operational management | Preventive | |
| Analyze the Governance, Risk, and Compliance approach. CC ID 12816 | Operational management | Preventive | |
| Analyze the organizational culture. CC ID 12899 | Operational management | Preventive | |
| Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 | Operational management | Detective | |
| Include the organizational climate in the analysis of the organizational culture. CC ID 12921 | Operational management | Detective | |
| Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 | Operational management | Detective | |
| Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 | Operational management | Corrective | |
| Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885 | Operational management | Preventive | |
| Revoke the written request to delay the notification. CC ID 16843 | Operational management | Preventive | |
| Post the incident response notification on the organization's website. CC ID 16809 | Operational management | Preventive | |
| Document the determination for providing a substitute incident response notification. CC ID 16841 | Operational management | Preventive | |
| Establish, implement, and maintain a patch management program. CC ID 00896 | Operational management | Preventive | |
| Determine how long to keep records and logs before disposing them. CC ID 11661 [{legal requirement} {regulatory requirement} Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes that include at least the following for all cardholder data (CHD) storage: - Limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements - Specific retention requirements for cardholder data - Processes for secure deletion of data when no longer needed - A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention. 3.1 {legal requirement} {regulatory requirement} Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes that include at least the following for all cardholder data (CHD) storage: - Limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements - Specific retention requirements for cardholder data - Processes for secure deletion of data when no longer needed - A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention. 3.1] | Records management | Preventive | |
| Manage waste materials in accordance with the storage media disposition and destruction procedures. CC ID 16485 | Records management | Preventive | |
| Define each system's disposition requirements for records and logs. CC ID 11651 | Records management | Preventive | |
| Establish, implement, and maintain identification card or badge architectural designs. CC ID 06591 | Systems design, build, and implementation | Preventive | |
| Define the physical requirements for identification cards or badges in the identification card or badge architectural designs. CC ID 06592 | Systems design, build, and implementation | Preventive | |
| Define the mandatory items that must appear on identification cards or badges in the identification card or badge architectural designs. CC ID 06593 | Systems design, build, and implementation | Preventive | |
| Define the optional items that may appear on identification cards or badges in the identification card or badge architectural designs. CC ID 06594 | Systems design, build, and implementation | Preventive | |
| Include the logical credential data model for identification cards or badges in the identification card or badge architectural designs. CC ID 06595 | Systems design, build, and implementation | Preventive | |
| Identify the components in a set of web pages that consistently have the same functionality. CC ID 15116 | Systems design, build, and implementation | Preventive | |
| Run sensitive workloads in Trusted Execution Environments. CC ID 16853 | Systems design, build, and implementation | Preventive | |
| Convert workflow charts and diagrams into machine readable code. CC ID 14865 | Systems design, build, and implementation | Preventive | |
| Document the results of the source code analysis. CC ID 14310 | Systems design, build, and implementation | Detective | |
| Digitally sign software components. CC ID 16490 | Systems design, build, and implementation | Preventive | |
| Protect applications from cross-site scripting through secure coding techniques in source code. CC ID 11899 [Include in the coding manual how to protect applications from Cross-site scripting (XSS) 6.5.7] | Systems design, build, and implementation | Preventive | |
| Protect against coding vulnerabilities through secure coding techniques in source code. CC ID 11897 [Use a coding manual to protect against coding vulnerabilities such as All "high risk" vulnerabilities identified in the vulnerability identification process (as defined in PCI DSS Requirement 6.1). 6.5.6] | Systems design, build, and implementation | Preventive | |
| Protect applications from broken authentication and session management through secure coding techniques in source code. CC ID 11896 [Include in the coding manual how to protect applications from Broken authentication and session management 6.5.10] | Systems design, build, and implementation | Preventive | |
| Protect applications from cross-site request forgery through secure coding techniques in source code. CC ID 11895 [Include in the coding manual how to protect applications from Cross-site request forgery (CSRF) 6.5.9] | Systems design, build, and implementation | Preventive | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Third Party and supply chain oversight | Detective | |
| Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838 | Third Party and supply chain oversight | Preventive | |
| Assess third parties' compliance environment during due diligence. CC ID 13134 | Third Party and supply chain oversight | Detective | |
Records Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Retain penetration test results according to internal policy. CC ID 10049 [Implement a methodology for penetration testing that includes the following: - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes testing to validate any segmentation and scope-reduction controls - Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 - Defines network-layer penetration tests to include components that support network functions as well as operating systems - Includes review and consideration of threats and vulnerabilities experienced in the last 12 months - Specifies retention of penetration testing results and remediation activities results. 11.3] | Monitoring and measurement | Preventive | |
| Retain penetration test remediation action records according to internal policy. CC ID 11629 [Implement a methodology for penetration testing that includes the following: - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes testing to validate any segmentation and scope-reduction controls - Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 - Defines network-layer penetration tests to include components that support network functions as well as operating systems - Includes review and consideration of threats and vulnerabilities experienced in the last 12 months - Specifies retention of penetration testing results and remediation activities results. 11.3] | Monitoring and measurement | Preventive | |
| Maintain vulnerability scan reports as organizational records. CC ID 12092 | Monitoring and measurement | Preventive | |
| Archive Public Key certificate records according to organizational Records Management rules. CC ID 07090 | Technical security | Preventive | |
| Retain video events according to Records Management procedures. CC ID 06304 [{video event} Use video cameras and/or access control mechanisms to monitor individual physical access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law. 9.1.1] | Physical and environmental protection | Preventive | |
| Control the transiting and internal distribution or external distribution of assets. CC ID 00963 [{internal distribution} Maintain strict control over the internal or external distribution of any kind of media, including the following: 9.6] | Physical and environmental protection | Preventive | |
| Obtain management authorization for restricted storage media transit or distribution from a controlled access area. CC ID 00964 [Ensure management approves any and all media that is moved from a secured area (including when media is distributed to individuals). 9.6.3] | Physical and environmental protection | Preventive | |
| Separate duplicate originals and backup media from the original electronic storage media. CC ID 00961 | Physical and environmental protection | Preventive | |
| Treat archive media as evidence. CC ID 00960 | Physical and environmental protection | Preventive | |
| Control the storage of restricted storage media. CC ID 00965 [Maintain strict control over the storage and accessibility of media. 9.7] | Physical and environmental protection | Preventive | |
| Inventory payment cards, as necessary. CC ID 13547 | Physical and environmental protection | Preventive | |
| Include information sharing procedures in standard operating procedures. CC ID 12974 | Operational management | Preventive | |
| Include source code in the asset inventory. CC ID 14858 | Operational management | Preventive | |
| Retain collected evidence for potential future legal actions. CC ID 01235 | Operational management | Preventive | |
| Establish, implement, and maintain secure storage and handling of evidence procedures. CC ID 08656 | Operational management | Preventive | |
| Retain records in accordance with applicable requirements. CC ID 00968 [Ensure that all anti-virus mechanisms are maintained as follows: - Are kept current, - Perform periodic scans - Generate audit logs which are retained per PCI DSS Requirement 10.7. 5.2] | Records management | Preventive | |
| Manage the disposition status for all records. CC ID 00972 [{legal requirement} {regulatory requirement} Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes that include at least the following for all cardholder data (CHD) storage: - Limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements - Specific retention requirements for cardholder data - Processes for secure deletion of data when no longer needed - A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention. 3.1] | Records management | Preventive | |
| Remove and/or destroy records according to the records' retention event and retention period schedule. CC ID 06621 | Records management | Preventive | |
Systems Continuity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Back up audit trails according to backup procedures. CC ID 11642 [Promptly back up audit trail files to a centralized log server or media that is difficult to alter. 10.5.3] | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258 | Operational and Systems Continuity | Preventive | |
| Review the security of the off-site electronic media storage facilities, as necessary. CC ID 00573 [{alternate site} Store media backups in a secure location, preferably an off-site facility, such as an alternate or backup site, or a commercial storage facility. Review the location’s security at least annually. 9.5.1] | Operational and Systems Continuity | Detective | |
| Include consumer protection procedures in the Incident Response program. CC ID 12755 | Operational management | Preventive | |
| Refrain from placing excessive reliance on third parties that provide support for service continuity. CC ID 12768 | Third Party and supply chain oversight | Preventive | |
Systems Design, Build, and Implementation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Implement gateways between security domains. CC ID 16493 | Technical security | Preventive | |
| Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695 | Operational management | Preventive | |
| Validate the system before implementing approved changes. CC ID 01510 | Operational management | Preventive | |
| Implement only one application or primary function per network component or server. CC ID 00879 [Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. 2.2.1] | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain a System Development Life Cycle program. CC ID 11823 [{make known} Ensure that security policies and operational procedures for developing and maintaining secure systems and applications are documented, in use, and known to all affected parties. 6.7] | Systems design, build, and implementation | Preventive | |
| Include information security throughout the system development life cycle. CC ID 12042 | Systems design, build, and implementation | Preventive | |
| Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267 | Systems design, build, and implementation | Preventive | |
| Develop systems in accordance with the system design specifications and system design standards. CC ID 01094 [Develop and maintain secure systems and applications. Requirement 6] | Systems design, build, and implementation | Preventive | |
| Protect stored manufacturing components prior to assembly. CC ID 12248 | Systems design, build, and implementation | Preventive | |
| Develop new products based on best practices. CC ID 01095 [Develop internal and external software applications (including web-based administrative access to applications) securely, as follows: - In accordance with PCI DSS (for example, secure authentication and logging) - Based on industry standards and/or best practices. - Incorporating information security throughout the software-development life cycle. 6.3 Develop internal and external software applications (including web-based administrative access to applications) securely, as follows: - In accordance with PCI DSS (for example, secure authentication and logging) - Based on industry standards and/or best practices. - Incorporating information security throughout the software-development life cycle. 6.3] | Systems design, build, and implementation | Preventive | |
| Include threat models in the system design specification. CC ID 06829 | Systems design, build, and implementation | Preventive | |
| Include security requirements in the system design specification. CC ID 06826 | Systems design, build, and implementation | Preventive | |
| Define the data elements to be stored on identification cards or badges in the identification card or badge architectural designs. CC ID 15427 | Systems design, build, and implementation | Preventive | |
| Include security measures in the identification card or badge architectural designs. CC ID 15423 | Systems design, build, and implementation | Preventive | |
| Implement data controls when developing systems. CC ID 15302 | Systems design, build, and implementation | Preventive | |
| Implement security controls when developing systems. CC ID 06270 [Develop internal and external software applications (including web-based administrative access to applications) securely, as follows: - In accordance with PCI DSS (for example, secure authentication and logging) - Based on industry standards and/or best practices. - Incorporating information security throughout the software-development life cycle. 6.3] | Systems design, build, and implementation | Preventive | |
| Analyze and minimize attack surfaces when developing systems. CC ID 06828 | Systems design, build, and implementation | Preventive | |
| Implement a hardware security module, as necessary. CC ID 12222 | Systems design, build, and implementation | Preventive | |
| Require dual authentication when switching out of PCI mode in the hardware security module. CC ID 12274 | Systems design, build, and implementation | Preventive | |
| Include an indicator to designate when the hardware security module is in PCI mode. CC ID 12273 | Systems design, build, and implementation | Preventive | |
| Design the random number generator to generate random numbers that are unpredictable. CC ID 12255 | Systems design, build, and implementation | Preventive | |
| Design the hardware security module to enforce the separation between applications. CC ID 12254 | Systems design, build, and implementation | Preventive | |
| Protect sensitive data when transiting sensitive services in the hardware security module. CC ID 12253 | Systems design, build, and implementation | Preventive | |
| Design the hardware security module to automatically clear its internal buffers of sensitive information prior to reuse of the buffer. CC ID 12233 | Systems design, build, and implementation | Preventive | |
| Design the hardware security module to automatically clear its internal buffers of sensitive information after it recovers from an error condition. CC ID 12252 | Systems design, build, and implementation | Preventive | |
| Design the hardware security module to automatically clear its internal buffers of sensitive information when it has timed out. CC ID 12251 | Systems design, build, and implementation | Preventive | |
| Design the hardware security module to erase sensitive data when compromised. CC ID 12275 | Systems design, build, and implementation | Preventive | |
| Restrict key-usage information for cryptographic keys in the hardware security module. CC ID 12232 | Systems design, build, and implementation | Preventive | |
| Prevent cryptographic keys in the hardware security module from making unauthorized changes to data. CC ID 12231 | Systems design, build, and implementation | Preventive | |
| Protect sensitive information within the hardware security module from unauthorized changes. CC ID 12225 | Systems design, build, and implementation | Preventive | |
| Prohibit sensitive functions from working outside of protected areas of the hardware security module. CC ID 12224 | Systems design, build, and implementation | Preventive | |
| Install secret information into the hardware security module during manufacturing. CC ID 12249 | Systems design, build, and implementation | Preventive | |
| Install secret information into the hardware security module so that it can only be verified by the initial-key-loading facility. CC ID 12272 | Systems design, build, and implementation | Preventive | |
| Install secret information under dual control into the hardware security module. CC ID 12257 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain secure update mechanisms. CC ID 14923 | Systems design, build, and implementation | Preventive | |
| Implement cryptographic mechanisms to authenticate software updates before installation. CC ID 14925 | Systems design, build, and implementation | Preventive | |
| Automate secure update mechanisms, as necessary. CC ID 14933 | Systems design, build, and implementation | Preventive | |
| Follow security design requirements when developing systems. CC ID 06827 | Systems design, build, and implementation | Preventive | |
| Identify multi-project interfaces and dependencies. CC ID 06902 | Systems design, build, and implementation | Preventive | |
| Design the security architecture. CC ID 06269 | Systems design, build, and implementation | Preventive | |
| Design the privacy architecture. CC ID 14671 | Systems design, build, and implementation | Preventive | |
| Implement software development version controls. CC ID 01098 | Systems design, build, and implementation | Preventive | |
| Follow the system development process when upgrading a system. CC ID 01059 | Systems design, build, and implementation | Preventive | |
| Conduct a design review at each milestone or quality gate. CC ID 01087 | Systems design, build, and implementation | Detective | |
| Approve the design methodology before moving forward on the system design project. CC ID 01060 | Systems design, build, and implementation | Preventive | |
| Perform source code analysis at each milestone or quality gate. CC ID 06832 | Systems design, build, and implementation | Corrective | |
| Identify and redesign unsafe functions when developing systems. CC ID 06831 | Systems design, build, and implementation | Preventive | |
| Monitor the development environment for when malicious code is discovered. CC ID 06396 | Systems design, build, and implementation | Detective | |
| Develop new products based on secure coding techniques. CC ID 11733 [Address common coding vulnerabilities in software-development processes as follows: - Train developers in secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory. - Develop applications based on secure coding guidelines. 6.5 {assign}{correct} Review custom code prior to release to production or customers in order to identify any potential coding vulnerability (using either manual or automated processes) to include at least the following: - Code changes are reviewed by individuals other than the originating code author, and by individuals knowledgeable about code-review techniques and secure coding practices. - Code reviews ensure code is developed according to secure coding guidelines - Appropriate corrections are implemented prior to release. - Code-review results are reviewed and approved by management prior to release. 6.3.2] | Systems design, build, and implementation | Preventive | |
| Protect applications from attacks on business logic through secure coding techniques in source code. CC ID 15472 | Systems design, build, and implementation | Preventive | |
| Refrain from hard-coding security parameters in source code. CC ID 14917 | Systems design, build, and implementation | Preventive | |
| Protect applications from attacks on data and data structures through secure coding techniques in source code. CC ID 15482 | Systems design, build, and implementation | Preventive | |
| Refrain from displaying error messages to end users through secure coding techniques in source code. CC ID 12166 | Systems design, build, and implementation | Preventive | |
| Address known coding vulnerabilities as a part of secure coding techniques. CC ID 12493 | Systems design, build, and implementation | Corrective | |
| Initiate the System Development Life Cycle implementation phase. CC ID 06268 | Systems design, build, and implementation | Preventive | |
Technical Security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 [Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities. 6.1] | Leadership and high level objectives | Detective | |
| Determine if honeypots should be installed, and if so, where the honeypots should be placed. CC ID 00582 | Monitoring and measurement | Detective | |
| Update the intrusion detection capabilities and the incident response capabilities regularly. CC ID 04653 [{intrusion-detection technique} {keep up to date} Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises. Keep all intrusion-detection and prevention engines, baselines, and signatures up to date. 11.4] | Monitoring and measurement | Preventive | |
| Implement honeyclients to proactively seek for malicious websites and malicious code. CC ID 10658 | Monitoring and measurement | Preventive | |
| Implement detonation chambers, where appropriate. CC ID 10670 | Monitoring and measurement | Preventive | |
| Identify cybersecurity events in event logs and audit logs. CC ID 13206 | Monitoring and measurement | Detective | |
| Erase payment applications when suspicious activity is confirmed. CC ID 12193 | Monitoring and measurement | Corrective | |
| Identify unauthorized modifications during file integrity monitoring. CC ID 12096 | Monitoring and measurement | Detective | |
| Allow expected changes during file integrity monitoring. CC ID 12090 | Monitoring and measurement | Preventive | |
| Develop and maintain a usage profile for each user account. CC ID 07067 | Monitoring and measurement | Preventive | |
| Conduct Red Team exercises, as necessary. CC ID 12131 | Monitoring and measurement | Detective | |
| Test security systems and associated security procedures, as necessary. CC ID 11901 [Regularly test security systems and processes. Requirement 11] | Monitoring and measurement | Detective | |
| Scan wireless networks for rogue devices. CC ID 11623 | Monitoring and measurement | Detective | |
| Implement incident response procedures when rogue devices are discovered. CC ID 11880 [Implement incident response procedures in the event unauthorized wireless access points are detected. 11.1.2] | Monitoring and measurement | Corrective | |
| Establish, implement, and maintain a port scan baseline for all in scope systems. CC ID 12134 | Monitoring and measurement | Detective | |
| Perform internal penetration tests, as necessary. CC ID 12471 [Perform internal penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment). 11.3.2] | Monitoring and measurement | Detective | |
| Perform external penetration tests, as necessary. CC ID 12470 [Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment). 11.3.1] | Monitoring and measurement | Detective | |
| Perform application-layer penetration testing on all systems, as necessary. CC ID 11630 [Implement a methodology for penetration testing that includes the following: - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes testing to validate any segmentation and scope-reduction controls - Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 - Defines network-layer penetration tests to include components that support network functions as well as operating systems - Includes review and consideration of threats and vulnerabilities experienced in the last 12 months - Specifies retention of penetration testing results and remediation activities results. 11.3] | Monitoring and measurement | Detective | |
| Perform penetration testing on segmentation controls, as necessary. CC ID 12498 | Monitoring and measurement | Detective | |
| Estimate the maximum bandwidth of any covert channels. CC ID 10653 | Monitoring and measurement | Detective | |
| Reduce the maximum bandwidth of covert channels. CC ID 10655 | Monitoring and measurement | Corrective | |
| Perform vulnerability scans, as necessary. CC ID 11637 | Monitoring and measurement | Detective | |
| Identify and document security vulnerabilities. CC ID 11857 [For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: - Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes - Installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic. 6.6 For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software. 5.1.2] | Monitoring and measurement | Detective | |
| Use dedicated user accounts when conducting vulnerability scans. CC ID 12098 | Monitoring and measurement | Preventive | |
| Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638 [Perform quarterly internal vulnerability scans and rescans as needed, until all “high-risk” vulnerabilities (as identified in Requirement 6.1) are resolved. Scans must be performed by qualified personnel. 11.2.1 {internal vulnerability scan} {external vulnerability scan} Perform internal and external scans, and rescans as needed, after any significant change. Scans must be performed by qualified personnel. 11.2.3] | Monitoring and measurement | Detective | |
| Correlate vulnerability scan reports from the various systems. CC ID 10636 | Monitoring and measurement | Detective | |
| Perform vulnerability scans prior to installing payment applications. CC ID 12192 | Monitoring and measurement | Detective | |
| Implement scanning tools, as necessary. CC ID 14282 | Monitoring and measurement | Detective | |
| Repeat vulnerability scanning after an approved change occurs. CC ID 12468 [{internal vulnerability scan} {external vulnerability scan} Perform internal and external scans, and rescans as needed, after any significant change. Scans must be performed by qualified personnel. 11.2.3] | Monitoring and measurement | Detective | |
| Perform external vulnerability scans, as necessary. CC ID 11624 [{internal network vulnerability scan} Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades). 11.2 {internal vulnerability scan} {external vulnerability scan} Perform internal and external scans, and rescans as needed, after any significant change. Scans must be performed by qualified personnel. 11.2.3] | Monitoring and measurement | Detective | |
| Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635 | Monitoring and measurement | Detective | |
| Perform vulnerability assessments, as necessary. CC ID 11828 | Monitoring and measurement | Corrective | |
| Review applications for security vulnerabilities after the application is updated. CC ID 11938 [For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: - Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes - Installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic. 6.6] | Monitoring and measurement | Detective | |
| Perform penetration tests and vulnerability scans in concert, as necessary. CC ID 12111 | Monitoring and measurement | Preventive | |
| Test the system for insecure cryptographic storage. CC ID 11635 | Monitoring and measurement | Detective | |
| Recommend mitigation techniques based on vulnerability scan reports. CC ID 11639 | Monitoring and measurement | Corrective | |
| Correct or mitigate vulnerabilities. CC ID 12497 | Monitoring and measurement | Corrective | |
| Establish, implement, and maintain an exception management process for vulnerabilities that cannot be remediated. CC ID 13859 | Monitoring and measurement | Corrective | |
| Establish, implement, and maintain a network activity baseline. CC ID 13188 | Monitoring and measurement | Detective | |
| Deploy log normalization tools, as necessary. CC ID 12141 | Monitoring and measurement | Preventive | |
| Restrict access to audit trails to a need to know basis. CC ID 11641 [Limit viewing of audit trails to those with a job-related need. 10.5.1] | Monitoring and measurement | Preventive | |
| Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 [Implement a risk-assessment process that: - Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.), - Identifies critical assets, threats, and vulnerabilities, and - Results in a formal, documented analysis of risk. 12.2 Implement a risk-assessment process that: - Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.), - Identifies critical assets, threats, and vulnerabilities, and - Results in a formal, documented analysis of risk. 12.2] | Audits and risk management | Preventive | |
| Implement safeguards to protect access credentials from unauthorized access. CC ID 16433 | Technical security | Preventive | |
| Identify information system users. CC ID 12081 | Technical security | Detective | |
| Review user accounts. CC ID 00525 | Technical security | Detective | |
| Identify and authenticate processes running on information systems that act on behalf of users. CC ID 12082 | Technical security | Detective | |
| Review shared accounts. CC ID 11840 | Technical security | Detective | |
| Control access rights to organizational assets. CC ID 00004 | Technical security | Preventive | |
| Generate but refrain from storing authenticators or Personal Identification Numbers for systems involved in high risk activities. CC ID 06835 | Technical security | Preventive | |
| Define access needs for each system component of an information system. CC ID 12456 | Technical security | Preventive | |
| Define the level of privilege required for each system component of an information system. CC ID 12457 | Technical security | Preventive | |
| Establish access rights based on least privilege. CC ID 01411 | Technical security | Preventive | |
| Assign user permissions based on job responsibilities. CC ID 00538 [{job function} {user privilege} Assign access based on individual personnel’s job classification and function. 7.1.3 Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities. 7.1.2 {job function} The access control system must include Assignment of privileges to individuals based on job classification and function. 7.2.2] | Technical security | Preventive | |
| Assign user privileges after they have management sign off. CC ID 00542 [Require documented approval by authorized parties specifying required privileges. 7.1.4] | Technical security | Preventive | |
| Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412 | Technical security | Preventive | |
| Disallow unlocking user accounts absent system administrator approval. CC ID 01413 | Technical security | Preventive | |
| Establish session authenticity through Transport Layer Security. CC ID 01627 | Technical security | Preventive | |
| Include all system components in the access control system. CC ID 11939 [The access control system must include Coverage of all system components 7.2.1] | Technical security | Preventive | |
| Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850 | Technical security | Preventive | |
| Enable attribute-based access control for objects and users on information systems. CC ID 16351 | Technical security | Preventive | |
| Enable role-based access control for objects and users on information systems. CC ID 12458 [Establish an access control system for systems components that restricts access 0E5;" class="term_secondary-verb">based</span> on a user’s need to know, and is set to “deny all” unless specifically allowed. 7.2] | Technical security | Preventive | |
| Enforce access restrictions for change control. CC ID 01428 [The change control processes must include Separate development/test environments from production environments, and enforce the separation with access controls. 6.4.1] | Technical security | Preventive | |
| Permit a limited set of user actions absent identification and authentication. CC ID 04849 | Technical security | Preventive | |
| Activate third party maintenance accounts and user identifiers, as necessary. CC ID 04262 [Manage IDs used by vendors to access, support, or maintain system components via remote access as follows: - Enabled only during the time period needed and disabled when not in use. - Monitored when in use. 8.1.5] | Technical security | Preventive | |
| Display a logon banner and appropriate logon message before granting access to the system. CC ID 06770 | Technical security | Preventive | |
| Use automatic equipment identification as a method of connection authentication absent an individual's identification and authentication. CC ID 06964 | Technical security | Preventive | |
| Control user privileges. CC ID 11665 | Technical security | Preventive | |
| Review all user privileges, as necessary. CC ID 06784 | Technical security | Preventive | |
| Review each user's access capabilities when their role changes. CC ID 00524 | Technical security | Preventive | |
| Enable products restricted by Digital Rights Management to be used while offline. CC ID 07094 | Technical security | Preventive | |
| Establish, implement, and maintain User Access Management procedures. CC ID 00514 | Technical security | Preventive | |
| Review and approve logical access to all assets based upon organizational policies. CC ID 06641 | Technical security | Preventive | |
| Control the addition and modification of user identifiers, user credentials, or other authenticators. CC ID 00515 [Control addition, deletion, and modification of user IDs, credentials, and other identifier objects. 8.1.2] | Technical security | Preventive | |
| Automate access control methods, as necessary. CC ID 11838 | Technical security | Preventive | |
| Automate Access Control Systems, as necessary. CC ID 06854 | Technical security | Preventive | |
| Refrain from storing logon credentials for third party applications. CC ID 13690 | Technical security | Preventive | |
| Refrain from allowing user access to identifiers and authenticators used by applications. CC ID 10048 [All access to any database containing cardholder data (including access by applications, administrators, and all other users) is restricted as follows: - All user access to, user queries of, and user actions on databases are through programmatic methods. - Only database administrators have the ability to directly access or query databases. - Application IDs for database applications can only be used by the applications (and not by individual users or other non-application processes). 8.7] | Technical security | Preventive | |
| Remove inactive user accounts, as necessary. CC ID 00517 [Remove/disable inactive user accounts within 90 days. 8.1.4] | Technical security | Corrective | |
| Remove temporary user accounts, as necessary. CC ID 11839 | Technical security | Corrective | |
| Enforce the password policy. CC ID 16347 | Technical security | Preventive | |
| Enforce usage restrictions for superuser accounts. CC ID 07064 | Technical security | Preventive | |
| Establish, implement, and maintain user accounts in accordance with the organizational Governance, Risk, and Compliance framework. CC ID 00526 | Technical security | Preventive | |
| Protect and manage biometric systems and biometric data. CC ID 01261 | Technical security | Preventive | |
| Implement out-of-band authentication, as necessary. CC ID 10606 | Technical security | Corrective | |
| Include digital identification procedures in the access control program. CC ID 11841 | Technical security | Preventive | |
| Disallow the use of Personal Identification Numbers as user identifiers. CC ID 06785 | Technical security | Preventive | |
| Require proper authentication for user identifiers. CC ID 11785 | Technical security | Preventive | |
| Refrain from allowing individuals to share authentication mechanisms. CC ID 11932 [{physical control} Where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.), use of these mechanisms must be assigned as follows: - Authentication mechanisms must be assigned to an individual account and not shared among multiple accounts. - Physical and/or logical controls must be in place to ensure only the intended account can use that mechanism to gain access. 8.6] | Technical security | Preventive | |
| Refrain from assigning authentication mechanisms for shared accounts. CC ID 11910 | Technical security | Preventive | |
| Employ live scans to verify biometric authentication. CC ID 06847 | Technical security | Preventive | |
| Identify and control all network access controls. CC ID 00529 | Technical security | Preventive | |
| Refrain from disclosing private Internet Protocol addresses and routing information, unless necessary. CC ID 11891 [Do not disclose private IP addresses and routing information to unauthorized parties. 1.3.8] | Technical security | Preventive | |
| Segregate systems in accordance with organizational standards. CC ID 12546 | Technical security | Preventive | |
| Implement resource-isolation mechanisms in organizational networks. CC ID 16438 | Technical security | Preventive | |
| Segregate servers that contain restricted data or restricted information from direct public access. CC ID 00533 [Prohibit direct public access between the Internet and any system component in the cardholder data environment. 1.3] | Technical security | Preventive | |
| Prevent logical access to dedicated networks from outside the secure areas. CC ID 12310 | Technical security | Preventive | |
| Design Demilitarized Zones with proper isolation rules. CC ID 00532 | Technical security | Preventive | |
| Restrict outbound network traffic out of the Demilitarized Zone. CC ID 16881 | Technical security | Preventive | |
| Restrict inbound network traffic into the Demilitarized Zone to Internet Protocol addresses within the Demilitarized Zone. CC ID 11998 [Limit inbound Internet traffic to IP addresses within the DMZ. 1.3.2 {direct inbound connection} {direct outbound connection} Do not allow any direct connections inbound or outbound for traffic between the Internet and the cardholder data environment. 1.3.3] | Technical security | Preventive | |
| Restrict inbound Internet traffic within the Demilitarized Zone to system components that provide publicly accessible services, protocols, and ports. CC ID 11993 | Technical security | Preventive | |
| Employ firewalls to secure network connections between networks of different security categorizations. CC ID 16373 | Technical security | Preventive | |
| Employ firewalls to secure network connections between trusted networks and untrusted networks, as necessary. CC ID 11821 | Technical security | Preventive | |
| Separate the wireless access points and wireless bridges from the wired network via a firewall. CC ID 04588 | Technical security | Preventive | |
| Employ centralized management systems to configure and control networks, as necessary. CC ID 12540 | Technical security | Preventive | |
| Include reviewing the rulesets for firewalls and routers in the firewall and router configuration standard, as necessary. CC ID 11903 [Include in the firewall and router configuration standard a Requirement to review firewall and router rule sets at least every six months. 1.1.7] | Technical security | Corrective | |
| Lock personal firewall configurations to prevent them from being disabled or changed by end users. CC ID 06420 [{mobile device} Install personal firewall software on any mobile and/or employee-owned devices that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the network. Firewall configurations include: - Specific configuration settings are defined for personal firewall software. - Personal firewall software is actively running. - Personal firewall software is not alterable by users of mobile and/or employee-owned devices. 1.4] | Technical security | Preventive | |
| Protect the firewall's network connection interfaces. CC ID 01955 | Technical security | Preventive | |
| Establish, implement, and maintain packet filtering requirements. CC ID 16362 | Technical security | Preventive | |
| Configure firewall filtering to only permit established connections into the network. CC ID 12482 | Technical security | Preventive | |
| Control all methods of remote access and teleworking. CC ID 00559 | Technical security | Preventive | |
| Implement phishing-resistant multifactor authentication techniques. CC ID 16541 | Technical security | Preventive | |
| Manage the use of encryption controls and cryptographic controls. CC ID 00570 | Technical security | Preventive | |
| Make key usage for data fields unique for each device. CC ID 04828 | Technical security | Preventive | |
| Accept only trusted keys and/or certificates. CC ID 11988 | Technical security | Preventive | |
| Bind keys to each identity. CC ID 12337 | Technical security | Preventive | |
| Generate unique cryptographic keys for each user. CC ID 12169 | Technical security | Preventive | |
| Implement decryption keys so that they are not linked to user accounts. CC ID 06851 [{file-level encryption} {authentication mechanism} If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed separately and independently of native operating system authentication and access control mechanisms (for example, by not using local user account databases or general network login credentials). Decryption keys must not be associated with user accounts. 3.4.1] | Technical security | Preventive | |
| Store key-encrypting keys and data-encrypting keys in different locations. CC ID 06085 [{secret key} Store secret and private keys used to encrypt/decrypt cardholder data in one (or more) of the following forms at all times: - Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data-encrypting key - Within a secure cryptographic device (such as a hardware (host) security module (HSM) or PTS-approved point-of-interaction device) - As at least two full-length key components or key shares, in accordance with an industry-accepted method. 3.5.2] | Technical security | Preventive | |
| Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys. CC ID 06852 | Technical security | Preventive | |
| Issue authentication mechanisms that support the Public Key Infrastructure. CC ID 07092 | Technical security | Preventive | |
| Establish a Root Certification Authority to support the Public Key Infrastructure. CC ID 07084 | Technical security | Preventive | |
| Connect the Public Key Infrastructure to the organization's identity and access management system. CC ID 07091 | Technical security | Preventive | |
| Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564 [Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components. 8.2.1 Use strong cryptography and security protocols (for example, TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks, including the following: - Only trusted keys and certificates are accepted. - The protocol in use only supports secure versions or configurations. - The encryption strength is appropriate for the encryption methodology in use. 4.1 Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices (for example, IEEE 802.11i) to implement strong encryption for authentication and transmission. 4.1.1 {transmit} Encrypt transmission of cardholder data across open, public networks. Requirement 4] | Technical security | Preventive | |
| Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls. CC ID 12492 | Technical security | Preventive | |
| Encrypt traffic over networks with trusted cryptographic keys. CC ID 12490 | Technical security | Preventive | |
| Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416 | Technical security | Preventive | |
| Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks. CC ID 00568 | Technical security | Preventive | |
| Protect application services information transmitted over a public network from unauthorized modification. CC ID 12021 | Technical security | Preventive | |
| Protect application services information transmitted over a public network from unauthorized disclosure. CC ID 12020 | Technical security | Preventive | |
| Protect application services information transmitted over a public network from contract disputes. CC ID 12019 | Technical security | Preventive | |
| Protect application services information transmitted over a public network from fraudulent activity. CC ID 12018 | Technical security | Preventive | |
| Install and maintain container security solutions. CC ID 16178 | Technical security | Preventive | |
| Protect the system against replay attacks. CC ID 04552 | Technical security | Preventive | |
| Analyze the behavior and characteristics of the malicious code. CC ID 10672 | Technical security | Detective | |
| Incorporate the malicious code analysis into the patch management program. CC ID 10673 | Technical security | Corrective | |
| Implement audio protection controls on telephone systems in controlled areas. CC ID 16455 | Physical and environmental protection | Preventive | |
| Secure unissued access mechanisms. CC ID 06713 | Physical and environmental protection | Preventive | |
| Change cipher lock codes, as necessary. CC ID 06651 | Physical and environmental protection | Preventive | |
| Encrypt digital media containing sensitive information during transport outside controlled areas. CC ID 14258 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain on-site logical controls for all distributed assets. CC ID 11682 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain off-site logical controls for all distributed assets. CC ID 11683 | Physical and environmental protection | Preventive | |
| Remote lock any distributed assets reported lost or stolen. CC ID 14008 | Physical and environmental protection | Corrective | |
| Establish, implement, and maintain a clear screen policy. CC ID 12436 | Physical and environmental protection | Preventive | |
| Prohibit the unauthorized remote activation of collaborative computing devices. CC ID 06768 | Physical and environmental protection | Preventive | |
| Indicate the active use of collaborative computing devices to users physically present at the device. CC ID 10647 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical. CC ID 06960 | Human Resources management | Preventive | |
| Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 [Require that usage policies include: Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use 12.3.9] | Operational management | Preventive | |
| Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054 | Operational management | Preventive | |
| Link the authentication system to the asset inventory. CC ID 13718 | Operational management | Preventive | |
| Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110 | Operational management | Detective | |
| Respond when an integrity violation is detected, as necessary. CC ID 10678 | Operational management | Corrective | |
| Shut down systems when an integrity violation is detected, as necessary. CC ID 10679 | Operational management | Corrective | |
| Restart systems when an integrity violation is detected, as necessary. CC ID 10680 | Operational management | Corrective | |
| Patch software. CC ID 11825 | Operational management | Corrective | |
| Patch the operating system, as necessary. CC ID 11824 | Operational management | Corrective | |
| Configure security parameter settings on all system components appropriately. CC ID 12041 | System hardening through configuration management | Preventive | |
| Configure session timeout and reauthentication settings according to organizational standards. CC ID 12460 [If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or erb">style="background-color:#F0BBBC;" class="term_primary-noun">session. 8.1.8] | System hardening through configuration management | Preventive | |
| Invalidate session identifiers upon session termination. CC ID 10649 | System hardening through configuration management | Preventive | |
| Verify users are listed in the ASET userlist file. CC ID 04907 | System hardening through configuration management | Preventive | |
| Restrict and control the use of privileged utility programs. CC ID 12030 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain service accounts. CC ID 13861 | System hardening through configuration management | Preventive | |
| Review the ownership of service accounts, as necessary. CC ID 13863 | System hardening through configuration management | Detective | |
| Manage access credentials for service accounts. CC ID 13862 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain authenticators. CC ID 15305 | System hardening through configuration management | Preventive | |
| Verify system files are not world-writable. CC ID 01546 | System hardening through configuration management | Preventive | |
| Verify backup directories containing patches are not accessible. CC ID 01547 | System hardening through configuration management | Preventive | |
| Find files and directories with extended attributes. CC ID 01552 | System hardening through configuration management | Detective | |
| Digitally sign and encrypt e-mail, as necessary. CC ID 04493 | System hardening through configuration management | Preventive | |
| Manage temporary files, as necessary. CC ID 04847 | System hardening through configuration management | Preventive | |
| Restrict the exporting of files and directories, as necessary. CC ID 16315 | System hardening through configuration management | Preventive | |
| Verify the /usr/lib/sendmail file is owned by an appropriate user or group. CC ID 05324 | System hardening through configuration management | Preventive | |
| Invoke a strong encryption method before requesting an authenticator. CC ID 11986 | System hardening through configuration management | Preventive | |
| Include restricted data encryption and restricted information encryption in the security controls. CC ID 01083 | Systems design, build, and implementation | Preventive | |
| Require successful authentication before granting access to system functionality via network interfaces. CC ID 14926 | Systems design, build, and implementation | Preventive | |
| Use randomly generated session identifiers. CC ID 07074 | Systems design, build, and implementation | Preventive | |
| Limit the embedding of data types inside other data types. CC ID 06759 | Systems design, build, and implementation | Preventive | |
| Protect system libraries. CC ID 01097 | Systems design, build, and implementation | Preventive | |
| Protect application program libraries. CC ID 11762 | Systems design, build, and implementation | Preventive | |
| Protect source code in accordance with organizational requirements. CC ID 16855 | Systems design, build, and implementation | Preventive | |
| Establish and maintain access rights to source code based upon least privilege. CC ID 06962 | Systems design, build, and implementation | Preventive | |
| Protect applications from insufficient anti-automation through secure coding techniques in source code. CC ID 16854 | Systems design, build, and implementation | Preventive | |
| Protect applications from improper access control through secure coding techniques in source code. CC ID 11959 [Include in the coding manual how to protect applications from Improper access control (such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions). 6.5.8] | Systems design, build, and implementation | Preventive | |
| Protect applications from improper error handling through secure coding techniques in source code. CC ID 11937 [Include in the coding manual how to protect applications from Improper error handling 6.5.5] | Systems design, build, and implementation | Preventive | |
| Protect applications from insecure communications through secure coding techniques in source code. CC ID 11936 [Include in the coding manual how to protect applications from Insecure communications 6.5.4] | Systems design, build, and implementation | Preventive | |
| Protect applications from XML external entities through secure coding techniques in source code. CC ID 14806 | Systems design, build, and implementation | Preventive | |
| Protect applications from insecure deserialization through secure coding techniques in source code. CC ID 14805 | Systems design, build, and implementation | Preventive | |
| Refrain from hard-coding usernames in source code. CC ID 06561 | Systems design, build, and implementation | Preventive | |
| Refrain from hard-coding authenticators in source code. CC ID 11829 | Systems design, build, and implementation | Preventive | |
| Refrain from hard-coding cryptographic keys in source code. CC ID 12307 | Systems design, build, and implementation | Preventive | |
| Protect applications from injection flaws through secure coding techniques in source code. CC ID 11944 [Include in the coding manual how to protect applications from Injection flaws, particularly SQL injection. Also consider OS Command Injection, LDAP and XPath injection flaws as well as other injection flaws. 6.5.1] | Systems design, build, and implementation | Preventive | |
| Control user account management through secure coding techniques in source code. CC ID 11909 [All access to any database containing cardholder data (including access by applications, administrators, and all other users) is restricted as follows: - All user access to, user queries of, and user actions on databases are through programmatic methods. - Only database administrators have the ability to directly access or query databases. - Application IDs for database applications can only be used by the applications (and not by individual users or other non-application processes). 8.7] | Systems design, build, and implementation | Preventive | |
| Restrict direct access of databases to the database administrator through secure coding techniques in source code. CC ID 11933 [All access to any database containing cardholder data (including access by applications, administrators, and all other users) is restricted as follows: - All user access to, user queries of, and user actions on databases are through programmatic methods. - Only database administrators have the ability to directly access or query databases. - Application IDs for database applications can only be used by the applications (and not by individual users or other non-application processes). 8.7] | Systems design, build, and implementation | Preventive | |
| Protect applications from buffer overflows through secure coding techniques in source code. CC ID 11943 [Include in the coding manual how to protect applications from Buffer overflows. 6.5.2] | Systems design, build, and implementation | Preventive | |
| Protect applications from insecure cryptographic storage through secure coding techniques in source code. CC ID 11935 [Include in the coding manual how to protect applications from Insecure cryptographic storage 6.5.3] | Systems design, build, and implementation | Preventive | |
| Protect databases from unauthorized database management actions through secure coding techniques in source code. CC ID 12049 | Systems design, build, and implementation | Preventive | |
| Standardize Application Programming Interfaces. CC ID 12167 | Systems design, build, and implementation | Preventive | |
| Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 [Do not store sensitive authentication data after authorization (even if encrypted). If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process. 3.2] | Privacy protection for information and data | Preventive | |
| Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 [Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: - One-way hashes based on strong cryptography, (hash must be of the entire PAN) - Truncation (hashing cannot be used to replace the truncated segment of PAN) - Index tokens and pads (pads must be securely stored) - Strong cryptography with associated key-management processes and procedures. 3.4] | Privacy protection for information and data | Preventive | |
Testing | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427 | Monitoring and measurement | Preventive | |
| Assess customer satisfaction. CC ID 00652 | Monitoring and measurement | Detective | |
| Test in scope systems for segregation of duties, as necessary. CC ID 13906 | Monitoring and measurement | Detective | |
| Include test requirements for the use of human subjects in the testing program. CC ID 16222 | Monitoring and measurement | Preventive | |
| Test the in scope system in accordance with its intended purpose. CC ID 14961 | Monitoring and measurement | Preventive | |
| Perform network testing in accordance with organizational standards. CC ID 16448 | Monitoring and measurement | Preventive | |
| Test user accounts in accordance with organizational standards. CC ID 16421 | Monitoring and measurement | Preventive | |
| Scan organizational networks for rogue devices. CC ID 00536 | Monitoring and measurement | Detective | |
| Scan the network for wireless access points. CC ID 00370 [Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on a quarterly basis. 11.1] | Monitoring and measurement | Detective | |
| Test the wireless device scanner's ability to detect rogue devices. CC ID 06859 | Monitoring and measurement | Detective | |
| Opt out of third party conformity assessments when the system meets harmonized standards. CC ID 15096 | Monitoring and measurement | Preventive | |
| Perform conformity assessments, as necessary. CC ID 15095 | Monitoring and measurement | Detective | |
| Establish, implement, and maintain a penetration testing methodology that validates scope-reduction controls through network segmentation. CC ID 11958 [Implement a methodology for penetration testing that includes the following: - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes testing to validate any segmentation and scope-reduction controls - Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 - Defines network-layer penetration tests to include components that support network functions as well as operating systems - Includes review and consideration of threats and vulnerabilities experienced in the last 12 months - Specifies retention of penetration testing results and remediation activities results. 11.3] | Monitoring and measurement | Preventive | |
| Use dedicated user accounts when conducting penetration testing. CC ID 13728 | Monitoring and measurement | Detective | |
| Remove dedicated user accounts after penetration testing is concluded. CC ID 13729 | Monitoring and measurement | Corrective | |
| Perform penetration tests, as necessary. CC ID 00655 [If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE. 11.3.4 Implement a methodology for penetration testing that includes the following: - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes testing to validate any segmentation and scope-reduction controls - Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 - Defines network-layer penetration tests to include components that support network functions as well as operating systems - Includes review and consideration of threats and vulnerabilities experienced in the last 12 months - Specifies retention of penetration testing results and remediation activities results. 11.3] | Monitoring and measurement | Detective | |
| Include coverage of all in scope systems during penetration testing. CC ID 11957 [Implement a methodology for penetration testing that includes the following: - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes testing to validate any segmentation and scope-reduction controls - Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 - Defines network-layer penetration tests to include components that support network functions as well as operating systems - Includes review and consideration of threats and vulnerabilities experienced in the last 12 months - Specifies retention of penetration testing results and remediation activities results. 11.3] | Monitoring and measurement | Detective | |
| Test the system for broken access controls. CC ID 01319 | Monitoring and measurement | Detective | |
| Test the system for broken authentication and session management. CC ID 01320 | Monitoring and measurement | Detective | |
| Test the system for insecure communications. CC ID 00535 | Monitoring and measurement | Detective | |
| Test the system for cross-site scripting attacks. CC ID 01321 | Monitoring and measurement | Detective | |
| Test the system for buffer overflows. CC ID 01322 | Monitoring and measurement | Detective | |
| Test the system for injection flaws. CC ID 01323 | Monitoring and measurement | Detective | |
| Test the system for Denial of Service. CC ID 01326 | Monitoring and measurement | Detective | |
| Test the system for insecure configuration management. CC ID 01327 | Monitoring and measurement | Detective | |
| Perform network-layer penetration testing on all systems, as necessary. CC ID 01277 [Implement a methodology for penetration testing that includes the following: - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes testing to validate any segmentation and scope-reduction controls - Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 - Defines network-layer penetration tests to include components that support network functions as well as operating systems - Includes review and consideration of threats and vulnerabilities experienced in the last 12 months - Specifies retention of penetration testing results and remediation activities results. 11.3] | Monitoring and measurement | Detective | |
| Test the system for cross-site request forgery. CC ID 06296 | Monitoring and measurement | Detective | |
| Repeat penetration testing, as necessary. CC ID 06860 [Exploitable vulnerabilities found during penetration testing are corrected and testing is repeated to verify the corrections. 11.3.3] | Monitoring and measurement | Detective | |
| Test the system for covert channels. CC ID 10652 | Monitoring and measurement | Detective | |
| Test systems to determine which covert channels might be exploited. CC ID 10654 | Monitoring and measurement | Detective | |
| Repeat vulnerability scanning, as necessary. CC ID 11646 [Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). Perform rescans as needed, until passing scans are achieved. 11.2.2] | Monitoring and measurement | Detective | |
| Perform internal vulnerability scans, as necessary. CC ID 00656 [{internal network vulnerability scan} Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades). 11.2 Perform quarterly internal vulnerability scans and rescans as needed, until all “high-risk” vulnerabilities (as identified in Requirement 6.1) are resolved. Scans must be performed by qualified personnel. 11.2.1 {internal vulnerability scan} {external vulnerability scan} Perform internal and external scans, and rescans as needed, after any significant change. Scans must be performed by qualified personnel. 11.2.3] | Monitoring and measurement | Detective | |
| Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039 | Monitoring and measurement | Preventive | |
| Test the system for unvalidated input. CC ID 01318 | Monitoring and measurement | Detective | |
| Test the system for proper error handling. CC ID 01324 | Monitoring and measurement | Detective | |
| Test the system for insecure data storage. CC ID 01325 | Monitoring and measurement | Detective | |
| Test the system for access control enforcement in all Uniform Resource Locators. CC ID 06297 | Monitoring and measurement | Detective | |
| Perform self-tests on cryptographic modules within the system. CC ID 06537 | Monitoring and measurement | Detective | |
| Perform power-up tests on cryptographic modules within the system. CC ID 06538 | Monitoring and measurement | Detective | |
| Perform conditional tests on cryptographic modules within the system. CC ID 06539 | Monitoring and measurement | Detective | |
| Perform risk assessments for all target environments, as necessary. CC ID 06452 [Implement a risk-assessment process that: - Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.), - Identifies critical assets, threats, and vulnerabilities, and - Results in a formal, documented analysis of risk. 12.2] | Audits and risk management | Preventive | |
| Perform a risk assessment prior to activating third party access to the organization's critical systems. CC ID 06455 | Technical security | Detective | |
| Employ unique identifiers. CC ID 01273 [Service providers with remote access to customer premises (for example, for support of POS systems or servers) must use a unique authentication credential (such as a password/phrase) for each customer. 8.5.1 Assign all users a unique ID before allowing them to access system components or cardholder data. 8.1.1] | Technical security | Detective | |
| Authenticate user identities before unlocking an account. CC ID 11837 | Technical security | Detective | |
| Authenticate user identities before manually resetting an authenticator. CC ID 04567 [Verify user identity before modifying any authentication credential—for example, performing password resets, provisioning new tokens, or generating new keys. 8.2.2] | Technical security | Detective | |
| Identify the user when enrolling them in the biometric system. CC ID 06882 | Technical security | Detective | |
| Configure firewalls to perform dynamic packet filtering. CC ID 01288 [Implement stateful inspection, also known as dynamic packet filtering. 1.3.6] | Technical security | Detective | |
| Test cryptographic key management applications, as necessary. CC ID 04829 | Technical security | Detective | |
| Implement non-repudiation for transactions. CC ID 00567 | Technical security | Detective | |
| Test all removable storage media for viruses and malicious code. CC ID 11861 | Technical security | Detective | |
| Test all untrusted files or unverified files for viruses and malicious code. CC ID 01311 | Technical security | Detective | |
| Authorize visitors before granting entry to physical areas containing restricted data or restricted information. CC ID 01330 [Include in the visitor identification procedures Visitors are authorized before entering, and escorted at all times within, areas where cardholder data is processed or maintained. 9.4.1] | Physical and environmental protection | Preventive | |
| Implement operational requirements for card readers. CC ID 02225 | Physical and environmental protection | Preventive | |
| Test locks for physical security vulnerabilities. CC ID 04880 | Physical and environmental protection | Detective | |
| Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 | Human Resources management | Detective | |
| Perform a drug test during personnel screening. CC ID 06648 | Human Resources management | Preventive | |
| Implement segregation of duties in roles and responsibilities. CC ID 00774 [{development/test environment} The change control processes must implement Separation of duties between development/test and production environments. 6.4.2] | Human Resources management | Detective | |
| Open a priority incident request after a security breach is detected. CC ID 04838 | Operational management | Corrective | |
| Activate the incident response notification procedures after a security breach is detected. CC ID 04839 | Operational management | Corrective | |
| Establish trust between the incident response team and the end user community during an incident. CC ID 01217 | Operational management | Detective | |
| Test the operation of the digital forensic equipment prior to use. CC ID 08694 | Operational management | Detective | |
| Test the incident response procedures. CC ID 01216 [{incident response plan} Test the plan at least annually. 12.10.2] | Operational management | Detective | |
| Test software patches for any potential compromise of the system's security. CC ID 13175 | Operational management | Detective | |
| Test the system's operational functionality after implementing approved changes. CC ID 06294 [Change control procedures related to the implementation of security patches and software modifications must include Functionality testing to verify that the change does not adversely impact the security of the system. 6.4.5.3] | Operational management | Detective | |
| Test network access controls for proper Configuration Management settings. CC ID 01281 | System hardening through configuration management | Detective | |
| Verify Automated Security Enhancement Tool checks the NIS+ tables, as appropriate. CC ID 04908 | System hardening through configuration management | Preventive | |
| Verify wireless peripherals meet organizational security requirements. CC ID 00657 | System hardening through configuration management | Detective | |
| Configure security and protection software to check for up-to-date signature files. CC ID 00576 [Ensure that all anti-virus mechanisms are maintained as follows: - Are kept current, - Perform periodic scans - Generate audit logs which are retained per PCI DSS Requirement 10.7. 5.2 Ensure that anti-virus programs are capable of detecting, removing, and protecting against all known types of e="background-color:#F0BBBC;" class="term_primary-noun">malicious software. 5.1.1] | System hardening through configuration management | Detective | |
| Destroy electronic storage media following the storage media disposition and destruction procedures. CC ID 00970 [Destroy media when it is no longer needed for business or legal reasons as follows: 9.8 Render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed. 9.8.2] | Records management | Detective | |
| Maintain media sanitization equipment in operational condition. CC ID 00721 | Records management | Detective | |
| Audit all modifications to the application being developed. CC ID 01614 | Systems design, build, and implementation | Detective | |
| Reassess the system design after the product has been tested. CC ID 01088 | Systems design, build, and implementation | Detective | |
| Perform Quality Management on all newly developed or modified systems. CC ID 01100 | Systems design, build, and implementation | Detective | |
| Restrict production data from being used in the test environment. CC ID 01103 [The change control processes must include Production data (live PANs) are not used for testing or development 6.4.3] | Systems design, build, and implementation | Detective | |
| Review and test custom code to identify potential coding vulnerabilities. CC ID 01316 [{assign}{correct} Review custom code prior to release to production or customers in order to identify any potential coding vulnerability (using either manual or automated processes) to include at least the following: - Code changes are reviewed by individuals other than the originating code author, and by individuals knowledgeable about code-review techniques and secure coding practices. - Code reviews ensure code is developed according to secure coding guidelines - Appropriate corrections are implemented prior to release. - Code-review results are reviewed and approved by management prior to release. 6.3.2] | Systems design, build, and implementation | Detective | |
| Review and test source code. CC ID 01086 | Systems design, build, and implementation | Detective | |
| Correct code anomalies and code deficiencies in custom code and retest before release. CC ID 06292 [{assign}{correct} Review custom code prior to release to production or customers in order to identify any potential coding vulnerability (using either manual or automated processes) to include at least the following: - Code changes are reviewed by individuals other than the originating code author, and by individuals knowledgeable about code-review techniques and secure coding practices. - Code reviews ensure code is developed according to secure coding guidelines - Appropriate corrections are implemented prior to release. - Code-review results are reviewed and approved by management prior to release. 6.3.2] | Systems design, build, and implementation | Corrective | |
| Approve all custom code test results before code is released. CC ID 06293 [{assign}{correct} Review custom code prior to release to production or customers in order to identify any potential coding vulnerability (using either manual or automated processes) to include at least the following: - Code changes are reviewed by individuals other than the originating code author, and by individuals knowledgeable about code-review techniques and secure coding practices. - Code reviews ensure code is developed according to secure coding guidelines - Appropriate corrections are implemented prior to release. - Code-review results are reviewed and approved by management prior to release. 6.3.2] | Systems design, build, and implementation | Detective | |
| Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 [Do not store the full contents of any track (from the magnetic stripe located on the back of a card, equivalent data contained on a chip, or elsewhere) after authorization. This data is alternatively called full track, track, track 1, track 2, and magnetic-stripe data. 3.2.1] | Privacy protection for information and data | Detective | |
| Test the exit plan, as necessary. CC ID 15495 | Third Party and supply chain oversight | Preventive | |
| Include third party requirements for personnel security in third party contracts. CC ID 00790 | Third Party and supply chain oversight | Detective | |
| Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 [Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment. 12.8.2 Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment. 12.9] | Third Party and supply chain oversight | Detective | |
| Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 | Third Party and supply chain oversight | Detective | |
| Establish the third party's service continuity. CC ID 00797 | Third Party and supply chain oversight | Detective | |
| Determine the adequacy of a third party's alternate site preparations. CC ID 06879 | Third Party and supply chain oversight | Detective | |
| Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 | Third Party and supply chain oversight | Detective | |
| Perform risk assessments of third parties, as necessary. CC ID 06454 [Ensure there is an established process for engaging service providers including proper due diligence prior to engagement. 12.8.3] | Third Party and supply chain oversight | Detective | |
Training | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include media protection in the security awareness program. CC ID 16368 | Human Resources management | Preventive | |
| Include physical security in the security awareness program. CC ID 16369 | Human Resources management | Preventive | |
| Include updates on emerging issues in the security awareness program. CC ID 13184 | Human Resources management | Preventive | |
| Include cybersecurity in the security awareness program. CC ID 13183 | Human Resources management | Preventive | |
| Include implications of non-compliance in the security awareness program. CC ID 16425 | Human Resources management | Preventive | |
| Include the acceptable use policy in the security awareness program. CC ID 15487 | Human Resources management | Preventive | |
| Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Human Resources management | Preventive | |
| Conduct tampering prevention training. CC ID 11875 [{do not replace} {do not return} Provide training for personnel to be aware of attempted tampering or replacement of devices. Training should include the following: - Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. - Do not install, replace, or return devices without verification. - Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices). - Report suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer). 9.9.3] | Human Resources management | Preventive | |
| Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877 [{do not replace} {do not return} Provide training for personnel to be aware of attempted tampering or replacement of devices. Training should include the following: - Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. - Do not install, replace, or return devices without verification. - Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices). - Report suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer). 9.9.3] | Human Resources management | Preventive | |
| Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876 [{do not replace} {do not return} Provide training for personnel to be aware of attempted tampering or replacement of devices. Training should include the following: - Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. - Do not install, replace, or return devices without verification. - Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices). - Report suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer). 9.9.3] | Human Resources management | Preventive | |
| Include how to report tampering and unauthorized substitution in the tampering prevention training. CC ID 11879 [{do not replace} {do not return} Provide training for personnel to be aware of attempted tampering or replacement of devices. Training should include the following: - Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. - Do not install, replace, or return devices without verification. - Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices). - Report suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer). 9.9.3] | Human Resources management | Preventive | |
| Include how to prevent physical tampering in the tampering prevention training. CC ID 11878 [{do not replace} {do not return} Provide training for personnel to be aware of attempted tampering or replacement of devices. Training should include the following: - Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. - Do not install, replace, or return devices without verification. - Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices). - Report suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer). 9.9.3] | Human Resources management | Preventive | |
| Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990 | Human Resources management | Preventive | |
| Conduct incident response training. CC ID 11889 [Provide appropriate training to staff with security breach response responsibilities. 12.10.4] | Operational management | Preventive | |
Common Controls andThere are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
Corrective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774 | Monitoring and measurement | Establish/Maintain Documentation | |
| Eliminate false positives in event logs and audit logs. CC ID 07047 | Monitoring and measurement | Log Management | |
| Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925 [Follow up exceptions and anomalies identified during the review process. 10.6.3] | Monitoring and measurement | Investigate | |
| Erase payment applications when suspicious activity is confirmed. CC ID 12193 | Monitoring and measurement | Technical Security | |
| Report a data loss event when non-truncated payment card numbers are outputted. CC ID 04741 | Monitoring and measurement | Establish/Maintain Documentation | |
| Report a data loss event after a security incident is detected and there are indications that the unauthorized person has control of electronic information. CC ID 04727 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Report a data loss event after a security incident is detected and there are indications that the unauthorized person has control of printed records. CC ID 04728 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Report a data loss event after a security incident is detected and there are indications that the unauthorized person has accessed information in either paper or electronic form. CC ID 04740 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Report a data loss event after a security incident is detected and there are indications that the information has been or will likely be used in an unauthorized manner. CC ID 04729 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Report a data loss event after a security incident is detected and there are indications that the information has been or will likely be used in an unauthorized manner that could cause substantial economic impact. CC ID 04742 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Implement incident response procedures when rogue devices are discovered. CC ID 11880 [Implement incident response procedures in the event unauthorized wireless access points are detected. 11.1.2] | Monitoring and measurement | Technical Security | |
| Alert appropriate personnel when rogue devices are discovered on the network. CC ID 06428 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Isolate rogue devices after a rogue device has been detected. CC ID 07061 | Monitoring and measurement | Configuration | |
| Remove dedicated user accounts after penetration testing is concluded. CC ID 13729 | Monitoring and measurement | Testing | |
| Reduce the maximum bandwidth of covert channels. CC ID 10655 | Monitoring and measurement | Technical Security | |
| Update the vulnerability scanners' vulnerability list. CC ID 10634 | Monitoring and measurement | Configuration | |
| Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748 | Monitoring and measurement | Behavior | |
| Perform vulnerability assessments, as necessary. CC ID 11828 | Monitoring and measurement | Technical Security | |
| Recommend mitigation techniques based on vulnerability scan reports. CC ID 11639 | Monitoring and measurement | Technical Security | |
| Disallow the use of payment applications when a vulnerability scan report indicates vulnerabilities are present. CC ID 12188 | Monitoring and measurement | Configuration | |
| Recommend mitigation techniques based on penetration test results. CC ID 04881 | Monitoring and measurement | Establish/Maintain Documentation | |
| Correct or mitigate vulnerabilities. CC ID 12497 | Monitoring and measurement | Technical Security | |
| Establish, implement, and maintain an exception management process for vulnerabilities that cannot be remediated. CC ID 13859 | Monitoring and measurement | Technical Security | |
| Determine the causes of compliance violations. CC ID 12401 | Monitoring and measurement | Investigate | |
| Correct compliance violations. CC ID 13515 | Monitoring and measurement | Process or Activity | |
| Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 | Monitoring and measurement | Behavior | |
| Convert data into standard units before reporting metrics. CC ID 15507 | Monitoring and measurement | Process or Activity | |
| Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 | Technical security | Communicate | |
| Revoke asset access when a personnel status change occurs or an individual is terminated. CC ID 00516 [Immediately revoke access for any terminated users. 8.1.3 Control physical access for onsite personnel to sensitive areas as follows: - Access must be authorized and based on individual job function. - Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled. 9.3] | Technical security | Behavior | |
| Review and update accounts and access rights when notified of personnel status changes. CC ID 00788 | Technical security | Behavior | |
| Remove inactive user accounts, as necessary. CC ID 00517 [Remove/disable inactive user accounts within 90 days. 8.1.4] | Technical security | Technical Security | |
| Remove temporary user accounts, as necessary. CC ID 11839 | Technical security | Technical Security | |
| Implement out-of-band authentication, as necessary. CC ID 10606 | Technical security | Technical Security | |
| Disseminate and communicate the access control procedures to all interested personnel and affected parties. CC ID 14123 | Technical security | Communicate | |
| Tune the biometric identification equipment, as necessary. CC ID 07077 | Technical security | Configuration | |
| Include reviewing the rulesets for firewalls and routers in the firewall and router configuration standard, as necessary. CC ID 11903 [Include in the firewall and router configuration standard a Requirement to review firewall and router rule sets at least every six months. 1.1.7] | Technical security | Technical Security | |
| Revoke old cryptographic keys or invalid cryptographic keys immediately. CC ID 01307 [{cryptographic key} Include in the cryptographic key management procedures Retirement or replacement (for example, archiving, destruction, and/or revocation) of keys as deemed necessary when the integrity of the key has been weakened (for example, departure of an employee with knowledge of a clear-text key component), or keys are suspected of being compromised. 3.6.5] | Technical security | Data and Information Management | |
| Replace known or suspected compromised cryptographic keys immediately. CC ID 01306 [{cryptographic key} Include in the cryptographic key management procedures Retirement or replacement (for example, archiving, destruction, and/or revocation) of keys as deemed necessary when the integrity of the key has been weakened (for example, departure of an employee with knowledge of a clear-text key component), or keys are suspected of being compromised. 3.6.5] | Technical security | Data and Information Management | |
| Remove malware when malicious code is discovered. CC ID 13691 | Technical security | Process or Activity | |
| Notify interested personnel and affected parties when malware is detected. CC ID 13689 | Technical security | Communicate | |
| Establish, implement, and maintain a malicious code outbreak recovery plan. CC ID 01310 | Technical security | Establish/Maintain Documentation | |
| Incorporate the malicious code analysis into the patch management program. CC ID 10673 | Technical security | Technical Security | |
| Report damaged property to interested personnel and affected parties. CC ID 13702 | Physical and environmental protection | Communicate | |
| Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463 [Develop procedures to easily distinguish between onsite personnel and visitors, to include: - Identifying onsite personnel and visitors (for example, assigning badges) - Changes to access requirements - Revoking or terminating onsite personnel and expired visitor identification (such as ID badges). 9.2] | Physical and environmental protection | Physical and Environmental Protection | |
| Document all lost badges in a lost badge list. CC ID 12448 | Physical and environmental protection | Establish/Maintain Documentation | |
| Remote lock any distributed assets reported lost or stolen. CC ID 14008 | Physical and environmental protection | Technical Security | |
| Remote wipe any distributed asset reported lost or stolen. CC ID 12197 | Physical and environmental protection | Process or Activity | |
| Unpair missing Bluetooth devices. CC ID 12428 | Physical and environmental protection | Physical and Environmental Protection | |
| Remove dormant systems from the network, as necessary. CC ID 13727 | Physical and environmental protection | Process or Activity | |
| Log an incident if unauthorized restricted data or unauthorized restricted information is discovered on a mobile device. CC ID 08708 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Conduct secure coding and development training for developers. CC ID 06822 [Address common coding vulnerabilities in software-development processes as follows: - Train developers in secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory. - Develop applications based on secure coding guidelines. 6.5] | Human Resources management | Behavior | |
| Measure policy compliance when reviewing the internal control framework. CC ID 06442 | Operational management | Actionable Reports or Measurements | |
| Update operating procedures that contribute to user errors. CC ID 06935 | Operational management | Establish/Maintain Documentation | |
| Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 | Operational management | Process or Activity | |
| Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052 | Operational management | Monitor and Evaluate Occurrences | |
| Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053 | Operational management | Monitor and Evaluate Occurrences | |
| Respond to all alerts from security systems in a timely manner. CC ID 06434 [Implement a process to respond to any alerts generated by the change-detection solution. 11.5.1] | Operational management | Behavior | |
| Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 | Operational management | Behavior | |
| Delay sending incident response notifications under predetermined conditions. CC ID 00804 | Operational management | Behavior | |
| Establish, implement, and maintain incident response notifications. CC ID 12975 | Operational management | Establish/Maintain Documentation | |
| Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Operational management | Communicate | |
| Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Operational management | Business Processes | |
| Send paper incident response notifications to affected parties, as necessary. CC ID 00366 | Operational management | Behavior | |
| Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 | Operational management | Behavior | |
| Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 | Operational management | Behavior | |
| Telephone incident response notifications to affected parties, as necessary. CC ID 04650 | Operational management | Behavior | |
| Publish the incident response notification in a general circulation periodical. CC ID 04651 | Operational management | Behavior | |
| Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 | Operational management | Behavior | |
| Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Operational management | Communicate | |
| Open a priority incident request after a security breach is detected. CC ID 04838 | Operational management | Testing | |
| Activate the incident response notification procedures after a security breach is detected. CC ID 04839 | Operational management | Testing | |
| Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 | Operational management | Communicate | |
| Respond when an integrity violation is detected, as necessary. CC ID 10678 | Operational management | Technical Security | |
| Shut down systems when an integrity violation is detected, as necessary. CC ID 10679 | Operational management | Technical Security | |
| Restart systems when an integrity violation is detected, as necessary. CC ID 10680 | Operational management | Technical Security | |
| Conduct forensic investigations in the event of a security compromise. CC ID 11951 [Enable processes to provide for timely forensic investigation in the event of a compromise to any hosted merchant or service provider. A.1.4] | Operational management | Investigate | |
| Collect evidence from the incident scene. CC ID 02236 | Operational management | Business Processes | |
| Deploy software patches in accordance with organizational standards. CC ID 07032 [Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release. 6.2] | Operational management | Configuration | |
| Patch software. CC ID 11825 | Operational management | Technical Security | |
| Patch the operating system, as necessary. CC ID 11824 | Operational management | Technical Security | |
| Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174 | Operational management | Configuration | |
| Remove outdated software after software has been updated. CC ID 11792 | Operational management | Configuration | |
| Change the authenticator for shared accounts when the group membership changes. CC ID 14249 | System hardening through configuration management | Business Processes | |
| Disable or delete shared User IDs. CC ID 12478 | System hardening through configuration management | Configuration | |
| Disable or delete generic user IDs. CC ID 12479 | System hardening through configuration management | Configuration | |
| Review and update the security architecture, as necessary. CC ID 14277 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Perform source code analysis at each milestone or quality gate. CC ID 06832 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Address known coding vulnerabilities as a part of secure coding techniques. CC ID 12493 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Correct code anomalies and code deficiencies in custom code and retest before release. CC ID 06292 [{assign}{correct} Review custom code prior to release to production or customers in order to identify any potential coding vulnerability (using either manual or automated processes) to include at least the following: - Code changes are reviewed by individuals other than the originating code author, and by individuals knowledgeable about code-review techniques and secure coding practices. - Code reviews ensure code is developed according to secure coding guidelines - Appropriate corrections are implemented prior to release. - Code-review results are reviewed and approved by management prior to release. 6.3.2] | Systems design, build, and implementation | Testing | |
| Terminate supplier relationships, as necessary. CC ID 13489 | Third Party and supply chain oversight | Business Processes | |
| Enforce third party Service Level Agreements, as necessary. CC ID 07098 | Third Party and supply chain oversight | Business Processes | |
Detective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Monitor regulatory trends to maintain compliance. CC ID 00604 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 [Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities. 6.1] | Leadership and high level objectives | Technical Security | |
| Establish, implement, and maintain logging and monitoring operations. CC ID 00637 [Implement audit trails to link all access to system components to each individual user. 10.1] | Monitoring and measurement | Log Management | |
| Monitor and evaluate system telemetry data. CC ID 14929 | Monitoring and measurement | Actionable Reports or Measurements | |
| Determine if honeypots should be installed, and if so, where the honeypots should be placed. CC ID 00582 | Monitoring and measurement | Technical Security | |
| Monitor systems for inappropriate usage and other security violations. CC ID 00585 [{intrusion-detection technique} {keep up to date} Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises. Keep all intrusion-detection and prevention engines, baselines, and signatures up to date. 11.4] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Monitor systems for blended attacks and multiple component incidents. CC ID 01225 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Monitor systems for Denial of Service attacks. CC ID 01222 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Monitor systems for access to restricted data or restricted information. CC ID 04721 [Track and monitor all access to network resources and cardholder data Requirement 10] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Assign roles and responsibilities for overseeing access to restricted data or restricted information. CC ID 11950 [Formally assign information security responsibilities for: Monitor and control all access to data. 12.5.5] | Monitoring and measurement | Human Resources Management | |
| Detect unauthorized access to systems. CC ID 06798 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Incorporate potential red flags into the organization's incident management system. CC ID 04652 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. CC ID 06430 [{intrusion-detection technique} {keep up to date} Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises. Keep all intrusion-detection and prevention engines, baselines, and signatures up to date. 11.4] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Alert interested personnel and affected parties when an incident causes an outage. CC ID 06808 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 | Monitoring and measurement | Log Management | |
| Establish, implement, and maintain event logging procedures. CC ID 01335 | Monitoring and measurement | Log Management | |
| Review and update event logs and audit logs, as necessary. CC ID 00596 [Review logs and security events for all system components to identify anomalies or suspicious activity. 10.6 Review logs of all other system components periodically based on the organization’s policies and risk management strategy, as determined by the organization’s annual risk assessment. 10.6.2 Review the following at least daily: - All security events - Logs of all system components that store, process, or transmit CHD and/or SAD - Logs of all critical system components - Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.). 10.6.1 Review the following at least daily: - All security events - Logs of all system components that store, process, or transmit CHD and/or SAD - Logs of all critical system components - Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.). 10.6.1 Review the following at least daily: - All security events - Logs of all system components that store, process, or transmit CHD and/or SAD - Logs of all critical system components - Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.). 10.6.1 Review the following at least daily: - All security events - Logs of all system components that store, process, or transmit CHD and/or SAD - Logs of all critical system components - Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.). 10.6.1] | Monitoring and measurement | Log Management | |
| Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207 | Monitoring and measurement | Log Management | |
| Identify cybersecurity events in event logs and audit logs. CC ID 13206 | Monitoring and measurement | Technical Security | |
| Enable logging for all systems that meet a traceability criteria. CC ID 00640 [Ensure logging and audit trails are enabled and unique to each entity’s cardholder data environment and consistent with PCI DSS Requirement 10. A.1.3] | Monitoring and measurement | Log Management | |
| Analyze firewall logs for the correct capturing of data. CC ID 00549 | Monitoring and measurement | Log Management | |
| Monitor and evaluate system performance. CC ID 00651 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Monitor for and react to when suspicious activities are detected. CC ID 00586 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Monitor and evaluate the effectiveness of detection tools. CC ID 13505 | Monitoring and measurement | Investigate | |
| Monitor and review retail payment activities, as necessary. CC ID 13541 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Determine if high rates of retail payment activities are from Originating Depository Financial Institutions. CC ID 13546 | Monitoring and measurement | Investigate | |
| Review retail payment service reports, as necessary. CC ID 13545 | Monitoring and measurement | Investigate | |
| Assess customer satisfaction. CC ID 00652 | Monitoring and measurement | Testing | |
| Establish, implement, and maintain a continuous monitoring program for configuration management. CC ID 06757 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the correlation and analysis of information obtained during testing in the continuous monitoring program. CC ID 14250 | Monitoring and measurement | Process or Activity | |
| Establish, implement, and maintain an automated configuration monitoring system. CC ID 07058 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Monitor for and report when a software configuration is updated. CC ID 06746 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Notify the appropriate personnel when the software configuration is updated absent authorization. CC ID 04886 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Monitor for firmware updates absent authorization. CC ID 10675 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Implement file integrity monitoring. CC ID 01205 [{file integrity monitoring software} Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). 10.5.5 Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly. 11.5] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Identify unauthorized modifications during file integrity monitoring. CC ID 12096 | Monitoring and measurement | Technical Security | |
| Monitor and evaluate user account activity. CC ID 07066 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Log account usage to determine dormant accounts. CC ID 12118 | Monitoring and measurement | Log Management | |
| Log account usage times. CC ID 07099 | Monitoring and measurement | Log Management | |
| Generate daily reports of user logons during hours outside of their usage profile. CC ID 07068 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Generate daily reports of users who have grossly exceeded their usage profile logon duration. CC ID 07069 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Log account usage durations. CC ID 12117 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Notify the appropriate personnel after identifying dormant accounts. CC ID 12125 | Monitoring and measurement | Communicate | |
| Log Internet Protocol addresses used during logon. CC ID 07100 | Monitoring and measurement | Log Management | |
| Report red flags when logon credentials are used on a computer different from the one in the usage profile. CC ID 07070 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Report inappropriate usage of user accounts to the appropriate personnel. CC ID 14243 | Monitoring and measurement | Communicate | |
| Monitor and evaluate environmental threats. CC ID 13481 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Conduct Red Team exercises, as necessary. CC ID 12131 | Monitoring and measurement | Technical Security | |
| Test security systems and associated security procedures, as necessary. CC ID 11901 [Regularly test security systems and processes. Requirement 11] | Monitoring and measurement | Technical Security | |
| Test in scope systems for segregation of duties, as necessary. CC ID 13906 | Monitoring and measurement | Testing | |
| Identify risk management measures when testing in scope systems. CC ID 14960 | Monitoring and measurement | Process or Activity | |
| Scan organizational networks for rogue devices. CC ID 00536 | Monitoring and measurement | Testing | |
| Scan the network for wireless access points. CC ID 00370 [Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on a quarterly basis. 11.1] | Monitoring and measurement | Testing | |
| Scan wireless networks for rogue devices. CC ID 11623 | Monitoring and measurement | Technical Security | |
| Test the wireless device scanner's ability to detect rogue devices. CC ID 06859 | Monitoring and measurement | Testing | |
| Perform conformity assessments, as necessary. CC ID 15095 | Monitoring and measurement | Testing | |
| Establish, implement, and maintain a port scan baseline for all in scope systems. CC ID 12134 | Monitoring and measurement | Technical Security | |
| Compare port scan reports for in scope systems against their port scan baseline. CC ID 12162 | Monitoring and measurement | Establish/Maintain Documentation | |
| Use dedicated user accounts when conducting penetration testing. CC ID 13728 | Monitoring and measurement | Testing | |
| Perform penetration tests, as necessary. CC ID 00655 [If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE. 11.3.4 Implement a methodology for penetration testing that includes the following: - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes testing to validate any segmentation and scope-reduction controls - Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 - Defines network-layer penetration tests to include components that support network functions as well as operating systems - Includes review and consideration of threats and vulnerabilities experienced in the last 12 months - Specifies retention of penetration testing results and remediation activities results. 11.3] | Monitoring and measurement | Testing | |
| Perform internal penetration tests, as necessary. CC ID 12471 [Perform internal penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment). 11.3.2] | Monitoring and measurement | Technical Security | |
| Perform external penetration tests, as necessary. CC ID 12470 [Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment). 11.3.1] | Monitoring and measurement | Technical Security | |
| Include coverage of all in scope systems during penetration testing. CC ID 11957 [Implement a methodology for penetration testing that includes the following: - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes testing to validate any segmentation and scope-reduction controls - Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 - Defines network-layer penetration tests to include components that support network functions as well as operating systems - Includes review and consideration of threats and vulnerabilities experienced in the last 12 months - Specifies retention of penetration testing results and remediation activities results. 11.3] | Monitoring and measurement | Testing | |
| Test the system for broken access controls. CC ID 01319 | Monitoring and measurement | Testing | |
| Test the system for broken authentication and session management. CC ID 01320 | Monitoring and measurement | Testing | |
| Test the system for insecure communications. CC ID 00535 | Monitoring and measurement | Testing | |
| Test the system for cross-site scripting attacks. CC ID 01321 | Monitoring and measurement | Testing | |
| Test the system for buffer overflows. CC ID 01322 | Monitoring and measurement | Testing | |
| Test the system for injection flaws. CC ID 01323 | Monitoring and measurement | Testing | |
| Test the system for Denial of Service. CC ID 01326 | Monitoring and measurement | Testing | |
| Test the system for insecure configuration management. CC ID 01327 | Monitoring and measurement | Testing | |
| Perform network-layer penetration testing on all systems, as necessary. CC ID 01277 [Implement a methodology for penetration testing that includes the following: - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes testing to validate any segmentation and scope-reduction controls - Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 - Defines network-layer penetration tests to include components that support network functions as well as operating systems - Includes review and consideration of threats and vulnerabilities experienced in the last 12 months - Specifies retention of penetration testing results and remediation activities results. 11.3] | Monitoring and measurement | Testing | |
| Test the system for cross-site request forgery. CC ID 06296 | Monitoring and measurement | Testing | |
| Perform application-layer penetration testing on all systems, as necessary. CC ID 11630 [Implement a methodology for penetration testing that includes the following: - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes testing to validate any segmentation and scope-reduction controls - Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 - Defines network-layer penetration tests to include components that support network functions as well as operating systems - Includes review and consideration of threats and vulnerabilities experienced in the last 12 months - Specifies retention of penetration testing results and remediation activities results. 11.3] | Monitoring and measurement | Technical Security | |
| Perform penetration testing on segmentation controls, as necessary. CC ID 12498 | Monitoring and measurement | Technical Security | |
| Verify segmentation controls are operational and effective. CC ID 12545 | Monitoring and measurement | Audits and Risk Management | |
| Repeat penetration testing, as necessary. CC ID 06860 [Exploitable vulnerabilities found during penetration testing are corrected and testing is repeated to verify the corrections. 11.3.3] | Monitoring and measurement | Testing | |
| Test the system for covert channels. CC ID 10652 | Monitoring and measurement | Testing | |
| Estimate the maximum bandwidth of any covert channels. CC ID 10653 | Monitoring and measurement | Technical Security | |
| Test systems to determine which covert channels might be exploited. CC ID 10654 | Monitoring and measurement | Testing | |
| Perform vulnerability scans, as necessary. CC ID 11637 | Monitoring and measurement | Technical Security | |
| Repeat vulnerability scanning, as necessary. CC ID 11646 [Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). Perform rescans as needed, until passing scans are achieved. 11.2.2] | Monitoring and measurement | Testing | |
| Identify and document security vulnerabilities. CC ID 11857 [For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: - Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes - Installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic. 6.6 For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software. 5.1.2] | Monitoring and measurement | Technical Security | |
| Rank discovered vulnerabilities. CC ID 11940 [Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities. 6.1] | Monitoring and measurement | Investigate | |
| Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638 [Perform quarterly internal vulnerability scans and rescans as needed, until all “high-risk” vulnerabilities (as identified in Requirement 6.1) are resolved. Scans must be performed by qualified personnel. 11.2.1 {internal vulnerability scan} {external vulnerability scan} Perform internal and external scans, and rescans as needed, after any significant change. Scans must be performed by qualified personnel. 11.2.3] | Monitoring and measurement | Technical Security | |
| Correlate vulnerability scan reports from the various systems. CC ID 10636 | Monitoring and measurement | Technical Security | |
| Perform internal vulnerability scans, as necessary. CC ID 00656 [{internal network vulnerability scan} Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades). 11.2 Perform quarterly internal vulnerability scans and rescans as needed, until all “high-risk” vulnerabilities (as identified in Requirement 6.1) are resolved. Scans must be performed by qualified personnel. 11.2.1 {internal vulnerability scan} {external vulnerability scan} Perform internal and external scans, and rescans as needed, after any significant change. Scans must be performed by qualified personnel. 11.2.3] | Monitoring and measurement | Testing | |
| Perform vulnerability scans prior to installing payment applications. CC ID 12192 | Monitoring and measurement | Technical Security | |
| Implement scanning tools, as necessary. CC ID 14282 | Monitoring and measurement | Technical Security | |
| Repeat vulnerability scanning after an approved change occurs. CC ID 12468 [{internal vulnerability scan} {external vulnerability scan} Perform internal and external scans, and rescans as needed, after any significant change. Scans must be performed by qualified personnel. 11.2.3] | Monitoring and measurement | Technical Security | |
| Perform external vulnerability scans, as necessary. CC ID 11624 [{internal network vulnerability scan} Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades). 11.2 {internal vulnerability scan} {external vulnerability scan} Perform internal and external scans, and rescans as needed, after any significant change. Scans must be performed by qualified personnel. 11.2.3] | Monitoring and measurement | Technical Security | |
| Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635 | Monitoring and measurement | Technical Security | |
| Review applications for security vulnerabilities after the application is updated. CC ID 11938 [For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: - Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes - Installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic. 6.6] | Monitoring and measurement | Technical Security | |
| Test the system for unvalidated input. CC ID 01318 | Monitoring and measurement | Testing | |
| Test the system for proper error handling. CC ID 01324 | Monitoring and measurement | Testing | |
| Test the system for insecure data storage. CC ID 01325 | Monitoring and measurement | Testing | |
| Test the system for access control enforcement in all Uniform Resource Locators. CC ID 06297 | Monitoring and measurement | Testing | |
| Test the system for insecure cryptographic storage. CC ID 11635 | Monitoring and measurement | Technical Security | |
| Perform self-tests on cryptographic modules within the system. CC ID 06537 | Monitoring and measurement | Testing | |
| Perform power-up tests on cryptographic modules within the system. CC ID 06538 | Monitoring and measurement | Testing | |
| Perform conditional tests on cryptographic modules within the system. CC ID 06539 | Monitoring and measurement | Testing | |
| Test in scope systems for compliance with the Configuration Baseline Documentation Record. CC ID 12130 | Monitoring and measurement | Configuration | |
| Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571 | Monitoring and measurement | Actionable Reports or Measurements | |
| Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 [Maintain a program to monitor service providers’ PCI DSS compliance status at least annually. 12.8.4] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 | Monitoring and measurement | Business Processes | |
| Determine if multiple compliance violations of the same type could occur. CC ID 12402 | Monitoring and measurement | Investigate | |
| Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 | Monitoring and measurement | Investigate | |
| Report on the policies and controls that have been implemented by management. CC ID 01670 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of security management roles that have been assigned. CC ID 01671 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of audit findings that have been resolved since the last audit. CC ID 01678 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted. CC ID 01679 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of personnel who are assigned and acknowledged responsibilities for approved policies, standards, and procedures. CC ID 01680 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of policy compliance reviews for which no compliance violations were noted. CC ID 01681 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of senior management or business unit heads who have implemented operational compliance procedures. CC ID 01682 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of role descriptions that define the Information Awareness roles for Security Managers and administrators. CC ID 01685 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of role descriptions that define the information awareness roles for interested personnel. CC ID 01686 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of role descriptions that define the information awareness roles for end users. CC ID 01687 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of performance reviews that include the evaluation of Information Assurance responsibilities and policy compliance. CC ID 01688 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of individuals who have access to security software, are trained, and authorized Security Administrators. CC ID 01691 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of individuals who are able to assign security privileges, are trained, and authorized Security Administrators. CC ID 01692 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of new hires who completed training ahead of being granted network access or system access. CC ID 01683 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of personnel who have completed periodic Information Assurance refresher training. CC ID 01684 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of user roles, systems, and applications that comply with the segregation of duties principle. CC ID 01689 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of individuals whose access rights have been reviewed. CC ID 01690 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of users who have access to restricted data or restricted information and have undergone a background check. CC ID 01693 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of critical information assets and information-dependent functions. CC ID 02040 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of critical assets and functions for which the cost of compromise has been quantified. CC ID 02041 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of identified risks that have a defined risk mitigation plan. CC ID 02042 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems with approved System Security Plans. CC ID 02145 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of known Information Security risks that are related to supply chain relationships. CC ID 02044 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of critical information assets or critical functions for which access by supply chain personnel is disallowed. CC ID 02045 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of supply chain personnel who have current information asset user privileges. CC ID 02046 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems with critical information assets or functions for which electronic connection by supply chain assets is disallowed. CC ID 02047 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of security incidents that involved supply chain personnel. CC ID 02048 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of third party contracts that include a requirement to externally verify policies and procedures. CC ID 02049 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of supply chain relationships that have been reviewed for compliance with information security requirements. CC ID 02050 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of information assets that have been reviewed and classified. CC ID 02053 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of information assets with defined user privileges that have been assigned based on role and according to policy. CC ID 02054 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of scheduled Information Technology inventory processes that occurred on time. CC ID 02055 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated. CC ID 02060 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of system architecture changes that were approved through appropriate change requests. CC ID 02061 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems that have been recertified if security controls were updated after the system was developed. CC ID 02142 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems that have completed Certification and Accreditation. CC ID 02143 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of critical organizational information assets and functions that have been reviewed from the risk to physical security perspective. CC ID 02064 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented. CC ID 02065 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of critical assets that have been reviewed from the environmental risk perspective. CC ID 02066 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of servers located in controlled access areas. CC ID 02067 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of unique active user identifiers. CC ID 02074 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems and applications that perform authenticator policy verification. CC ID 02086 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of active user passwords that are set to expire. CC ID 02087 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems with critical information assets that use stronger authentication than user identifiers and passwords. CC ID 02088 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems with account lockout thresholds set. CC ID 02091 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of inactive user accounts that have been disabled. CC ID 02092 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of users with access to shared accounts. CC ID 04573 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of active computer accounts that have had the current user privileges reviewed. CC ID 02094 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems where permission to install nonstandard software is limited. CC ID 02095 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems and applications that have user privileges and administrator privileges assigned in compliance with Role-Based Access Controls. CC ID 02096 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems for which approved configuration settings have been implemented. CC ID 02097 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems with configurations that do not deviate from approved standards. CC ID 02098 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems that are continuously monitored for compliance with the configuration standard with out-of-compliance alarms or out-of-compliance reports. CC ID 02099 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems whose configuration is compared with a previously established trusted configuration baseline. CC ID 02100 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems where the authority to make configuration changes are limited. CC ID 02101 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of system components that undergo maintenance as scheduled. CC ID 04562 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems for which event logging has been implemented. CC ID 02102 | Monitoring and measurement | Log Management | |
| Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103 | Monitoring and measurement | Log Management | |
| Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104 | Monitoring and measurement | Log Management | |
| Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of laptops and mobile devices that are needing to be in compliance with the approved configuration standard before granting network access. CC ID 02106 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of organizationally controlled communications channels that have been secured. CC ID 02107 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of host servers that are protected from becoming relay hosts. CC ID 02108 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of mobile users who access organizational facilities using secure communications methods. CC ID 02109 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of workstations and laptops that employ automated system security tools. CC ID 02110 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of servers that employ automated system security tools. CC ID 02111 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of mobile devices that employ automated system security tools. CC ID 02112 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of software changes that have been documented and approved through change request forms. CC ID 02152 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems with all approved patches installed. CC ID 02113 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the mean time from patch availability to patch installation. CC ID 02114 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of software changes that were reviewed for security impacts before the software configuration is updated. CC ID 02115 | Monitoring and measurement | Actionable Reports or Measurements | |
| Establish, implement, and maintain a network activity baseline. CC ID 13188 | Monitoring and measurement | Technical Security | |
| Report on the percentage of systems configured according to the configuration standard. CC ID 02116 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of network access controls used to gain unauthorized access. CC ID 04572 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms. CC ID 02117 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of mobile devices that use encryption for critical information assets. CC ID 02118 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of passwords and Personal Identification Numbers that are encrypted. CC ID 02119 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of media that passes sanitization procedure testing. CC ID 04574 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems with critical information assets or critical business functions that have been backed up in accordance with the backup policy and the system's continuity plan. CC ID 02120 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems with critical information assets or critical functions where restoration from a backup has been successfully demonstrated. CC ID 02121 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of backup media stored off site in secure storage. CC ID 02122 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of used backup media or archive media sanitized prior to reuse or disposal. CC ID 02123 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564 | Monitoring and measurement | Actionable Reports or Measurements | |
| Update the risk assessment upon discovery of a new threat. CC ID 00708 [Implement a risk-assessment process that: - Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.), - Identifies critical assets, threats, and vulnerabilities, and - Results in a formal, documented analysis of risk. 12.2] | Audits and risk management | Establish/Maintain Documentation | |
| Update the risk assessment upon changes to the risk profile. CC ID 11627 | Audits and risk management | Establish/Maintain Documentation | |
| Conduct external audits of risk assessments, as necessary. CC ID 13308 | Audits and risk management | Audits and Risk Management | |
| Identify information system users. CC ID 12081 | Technical security | Technical Security | |
| Review user accounts. CC ID 00525 | Technical security | Technical Security | |
| Match user accounts to authorized parties. CC ID 12126 | Technical security | Configuration | |
| Identify and authenticate processes running on information systems that act on behalf of users. CC ID 12082 | Technical security | Technical Security | |
| Review shared accounts. CC ID 11840 | Technical security | Technical Security | |
| Disallow application IDs from running as privileged users. CC ID 10050 | Technical security | Configuration | |
| Perform a risk assessment prior to activating third party access to the organization's critical systems. CC ID 06455 | Technical security | Testing | |
| Notify interested personnel when user accounts are added or deleted. CC ID 14327 | Technical security | Communicate | |
| Employ unique identifiers. CC ID 01273 [Service providers with remote access to customer premises (for example, for support of POS systems or servers) must use a unique authentication credential (such as a password/phrase) for each customer. 8.5.1 Assign all users a unique ID before allowing them to access system components or cardholder data. 8.1.1] | Technical security | Testing | |
| Authenticate user identities before unlocking an account. CC ID 11837 | Technical security | Testing | |
| Authenticate user identities before manually resetting an authenticator. CC ID 04567 [Verify user identity before modifying any authentication credential—for example, performing password resets, provisioning new tokens, or generating new keys. 8.2.2] | Technical security | Testing | |
| Identify the user when enrolling them in the biometric system. CC ID 06882 | Technical security | Testing | |
| Include testing and approving all network connections through the firewall in the firewall and router configuration standard. CC ID 01270 [Include in the firewall and router configuration standard A formal process for approving and rimary-verb">testing all r:#F0BBBC;" class="term_primary-noun">network connections and changes to the firewall and router configurations 1.1.1 Include in the firewall and router configuration standard A formal process for approving and rimary-verb">testing all r:#F0BBBC;" class="term_primary-noun">network connections and changes to the firewall and router configurations 1.1.1] | Technical security | Process or Activity | |
| Configure security alerts in firewalls to include the source Internet protocol address and destination Internet protocol address associated with long sessions. CC ID 12174 | Technical security | Configuration | |
| Configure firewalls to perform dynamic packet filtering. CC ID 01288 [Implement stateful inspection, also known as dynamic packet filtering. 1.3.6] | Technical security | Testing | |
| Configure network access and control points to organizational standards. CC ID 12442 [{make known} Ensure that security policies and operational procedures for managing firewalls are documented, in imary-verb">use, and known to all affected parties. 1.5] | Technical security | Configuration | |
| Monitor and evaluate all remote access usage. CC ID 00563 [Manage IDs used by vendors to access, support, or maintain system components via remote access as follows: - Enabled only during the time period needed and disabled when not in use. - Monitored when in use. 8.1.5] | Technical security | Monitor and Evaluate Occurrences | |
| Test cryptographic key management applications, as necessary. CC ID 04829 | Technical security | Testing | |
| Implement non-repudiation for transactions. CC ID 00567 | Technical security | Testing | |
| Scan for malicious code, as necessary. CC ID 11941 [Ensure that all anti-virus mechanisms are maintained as follows: - Are kept current, - Perform periodic scans - Generate audit logs which are retained per PCI DSS Requirement 10.7. 5.2] | Technical security | Investigate | |
| Test all removable storage media for viruses and malicious code. CC ID 11861 | Technical security | Testing | |
| Test all untrusted files or unverified files for viruses and malicious code. CC ID 01311 | Technical security | Testing | |
| Log and react to all malicious code activity. CC ID 07072 | Technical security | Monitor and Evaluate Occurrences | |
| Analyze the behavior and characteristics of the malicious code. CC ID 10672 | Technical security | Technical Security | |
| Conduct external audits of the physical security plan. CC ID 13314 | Physical and environmental protection | Audits and Risk Management | |
| Establish, implement, and maintain an anti-tamper protection program. CC ID 10638 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Monitor for evidence of when tampering indicators are being identified. CC ID 11905 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Inspect device surfaces to detect tampering. CC ID 11868 [Periodically inspect device surfaces to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device). 9.9.2] | Physical and environmental protection | Investigate | |
| Inspect device surfaces to detect unauthorized substitution. CC ID 11869 [Periodically inspect device surfaces to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device). 9.9.2] | Physical and environmental protection | Investigate | |
| Inspect for tampering, as necessary. CC ID 10640 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Inspect telephones for eavesdropping devices. CC ID 02223 | Physical and environmental protection | Physical and Environmental Protection | |
| Detect anomalies in physical barriers. CC ID 13533 | Physical and environmental protection | Investigate | |
| Secure physical entry points with physical access controls or security guards. CC ID 01640 | Physical and environmental protection | Physical and Environmental Protection | |
| Test locks for physical security vulnerabilities. CC ID 04880 | Physical and environmental protection | Testing | |
| Lock all lockable equipment cabinets. CC ID 11673 | Physical and environmental protection | Physical and Environmental Protection | |
| Monitor for unauthorized physical access at physical entry points and physical exit points. CC ID 01638 [Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment. 9.1] | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Report anomalies in the visitor log to appropriate personnel. CC ID 14755 | Physical and environmental protection | Investigate | |
| Log when the vault is accessed. CC ID 06725 | Physical and environmental protection | Log Management | |
| Log when the cabinet is accessed. CC ID 11674 | Physical and environmental protection | Log Management | |
| Observe restricted areas with motion detectors or closed-circuit television systems. CC ID 01328 [{video event} Use video cameras and/or access control mechanisms to monitor individual physical access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law. 9.1.1] | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Review and correlate all data collected from video cameras and/or access control mechanisms with other entries. CC ID 11609 [{video event} Use video cameras and/or access control mechanisms to monitor individual physical access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law. 9.1.1] | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Monitor physical entry point alarms. CC ID 01639 | Physical and environmental protection | Physical and Environmental Protection | |
| Evaluate and react to when unauthorized access is detected by physical entry point alarms. CC ID 11677 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Monitor for alarmed security doors being propped open. CC ID 06684 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Track restricted storage media while it is in transit. CC ID 00967 | Physical and environmental protection | Data and Information Management | |
| Attach asset location technologies to distributed assets. CC ID 10626 | Physical and environmental protection | Physical and Environmental Protection | |
| Monitor the location of distributed assets. CC ID 11684 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Inspect mobile devices for the storage of restricted data or restricted information. CC ID 08707 | Physical and environmental protection | Investigate | |
| Inspect the physical integrity of all containers before loading the containers. CC ID 02209 | Physical and environmental protection | Physical and Environmental Protection | |
| Restrict the length of fiber optic flying leads to 5 meters. CC ID 08639 | Physical and environmental protection | Physical and Environmental Protection | |
| Inspect network cabling at distances determined by security classification. CC ID 08644 | Physical and environmental protection | Physical and Environmental Protection | |
| Review the security of the off-site electronic media storage facilities, as necessary. CC ID 00573 [{alternate site} Store media backups in a secure location, preferably an off-site facility, such as an alternate or backup site, or a commercial storage facility. Review the location’s security at least annually. 9.5.1] | Operational and Systems Continuity | Systems Continuity | |
| Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 | Human Resources management | Testing | |
| Perform a background check during personnel screening. CC ID 11758 [Screen potential personnel prior to hire to minimize the risk of attacks from internal sources. (Examples of background checks include previous employment history, criminal record, credit history, and reference checks.) 12.7] | Human Resources management | Human Resources Management | |
| Implement segregation of duties in roles and responsibilities. CC ID 00774 [{development/test environment} The change control processes must implement Separation of duties between development/test and production environments. 6.4.2] | Human Resources management | Testing | |
| Monitor and measure the effectiveness of security awareness. CC ID 06262 | Human Resources management | Monitor and Evaluate Occurrences | |
| Review the relevance of information supporting internal controls. CC ID 12420 | Operational management | Business Processes | |
| Include emergency response procedures in the internal control framework. CC ID 06779 | Operational management | Establish/Maintain Documentation | |
| Review and approve access controls, as necessary. CC ID 13074 | Operational management | Process or Activity | |
| Perform social network analysis, as necessary. CC ID 14864 | Operational management | Investigate | |
| Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 | Operational management | Process or Activity | |
| Include the organizational climate in the analysis of the organizational culture. CC ID 12921 | Operational management | Process or Activity | |
| Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 | Operational management | Process or Activity | |
| Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962 | Operational management | Establish/Maintain Documentation | |
| Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110 | Operational management | Technical Security | |
| Respond to and triage when an incident is detected. CC ID 06942 | Operational management | Monitor and Evaluate Occurrences | |
| Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 | Operational management | Behavior | |
| Avoid false positive incident response notifications. CC ID 04732 | Operational management | Behavior | |
| Include information required by law in incident response notifications. CC ID 00802 | Operational management | Establish/Maintain Documentation | |
| Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 | Operational management | Establish/Maintain Documentation | |
| Analyze and respond to security alerts. CC ID 12504 | Operational management | Business Processes | |
| Assign monitoring and analyzing the security alert when a security alert is received to the appropriate role in the incident response program. CC ID 11886 [Formally assign information security responsibilities for: Monitor and analyze security alerts and information, and distribute to appropriate personnel. 12.5.2] | Operational management | Investigate | |
| Establish, implement, and maintain incident response procedures. CC ID 01206 | Operational management | Establish/Maintain Documentation | |
| Establish trust between the incident response team and the end user community during an incident. CC ID 01217 | Operational management | Testing | |
| Protect devices containing digital forensic evidence during transport. CC ID 08687 | Operational management | Investigate | |
| Protect devices containing digital forensic evidence in sealed containers. CC ID 08685 | Operational management | Investigate | |
| Establish, implement, and maintain a chain of custody for all devices containing digital forensic evidence. CC ID 08686 | Operational management | Establish/Maintain Documentation | |
| Contact affected parties to participate in forensic investigations, as necessary. CC ID 12343 | Operational management | Communicate | |
| Prepare digital forensic equipment. CC ID 08688 | Operational management | Investigate | |
| Use digital forensic equipment suitable to the circumstances. CC ID 08690 | Operational management | Investigate | |
| Provide relevant user manuals for digital forensic equipment during use. CC ID 08691 | Operational management | Investigate | |
| Include the hardware configuration and software configuration of the digital forensic equipment in the forensic investigation report. CC ID 08693 | Operational management | Establish/Maintain Documentation | |
| Test the operation of the digital forensic equipment prior to use. CC ID 08694 | Operational management | Testing | |
| Maintain digital forensic equipment for proper performance. CC ID 08689 | Operational management | Investigate | |
| Include documentation of the system containing and surrounding digital forensic evidence in the forensic investigation report. CC ID 08679 | Operational management | Establish/Maintain Documentation | |
| Include the configuration settings of devices associated with digital forensic evidence in the forensic investigation report. CC ID 08676 | Operational management | Establish/Maintain Documentation | |
| Include the external connections to systems containing digital forensic evidence in the forensic investigation report. CC ID 08680 | Operational management | Establish/Maintain Documentation | |
| Include the electronic media storage devices containing digital forensic evidence in the forensic investigation report. CC ID 08695 | Operational management | Establish/Maintain Documentation | |
| Include all system components of systems containing digital forensic evidence in the forensic investigation report. CC ID 08696 | Operational management | Establish/Maintain Documentation | |
| Refrain from altering the state of compromised systems when collecting digital forensic evidence. CC ID 08671 | Operational management | Investigate | |
| Follow all applicable laws and principles when collecting digital forensic evidence. CC ID 08672 | Operational management | Investigate | |
| Remove everyone except interested personnel and affected parties from the proximity of digital forensic evidence. CC ID 08675 | Operational management | Investigate | |
| Secure devices containing digital forensic evidence. CC ID 08681 | Operational management | Investigate | |
| Use a write blocker to prevent digital forensic evidence from being modified. CC ID 08692 | Operational management | Investigate | |
| Capture volatile information from devices containing digital forensic evidence prior to shutdown. CC ID 08684 | Operational management | Investigate | |
| Create a system image of the device before collecting digital forensic evidence. CC ID 08673 | Operational management | Investigate | |
| Shut down stand alone devices containing digital forensic evidence. CC ID 08682 | Operational management | Investigate | |
| Disconnect electronic media storage devices of systems containing digital forensic evidence. CC ID 08697 | Operational management | Investigate | |
| Place evidence tape over devices containing digital forensic evidence. CC ID 08683 | Operational management | Investigate | |
| Test the incident response procedures. CC ID 01216 [{incident response plan} Test the plan at least annually. 12.10.2] | Operational management | Testing | |
| Test software patches for any potential compromise of the system's security. CC ID 13175 | Operational management | Testing | |
| Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391 | Operational management | Establish/Maintain Documentation | |
| Test the system's operational functionality after implementing approved changes. CC ID 06294 [Change control procedures related to the implementation of security patches and software modifications must include Functionality testing to verify that the change does not adversely impact the security of the system. 6.4.5.3] | Operational management | Testing | |
| Test network access controls for proper Configuration Management settings. CC ID 01281 | System hardening through configuration management | Testing | |
| Verify wireless peripherals meet organizational security requirements. CC ID 00657 | System hardening through configuration management | Testing | |
| Review the ownership of service accounts, as necessary. CC ID 13863 | System hardening through configuration management | Technical Security | |
| Find files and directories with extended attributes. CC ID 01552 | System hardening through configuration management | Technical Security | |
| Verify that no UID 0 accounts exist other than root. CC ID 01585 | System hardening through configuration management | Configuration | |
| Configure the log to capture audit log initialization, along with auditable event selection. CC ID 00649 [Configure the audit log to capture Initialization, stopping, or pausing of the audit logs 10.2.6] | System hardening through configuration management | Log Management | |
| Configure the log to capture each auditable event's origination. CC ID 01338 [Configure the audit log to capture the following event for all system components: Origination of event 10.3.5] | System hardening through configuration management | Log Management | |
| Configure the log to capture logons, logouts, logon attempts, and logout attempts. CC ID 01915 [Configure the audit log to capture Invalid logical access attempts 10.2.4] | System hardening through configuration management | Log Management | |
| Configure the log to capture access to restricted data or restricted information. CC ID 00644 [Configure the audit log to capture All individual user accesses to cardholder data 10.2.1] | System hardening through configuration management | Log Management | |
| Configure the log to capture actions taken by individuals with root privileges or administrative privileges and add logging option to the root file system. CC ID 00645 [{root privileges} Configure the audit log to capture All actions taken by any individual with root or administrative privileges 10.2.2] | System hardening through configuration management | Log Management | |
| Configure the log to capture identification and authentication mechanism use. CC ID 00648 [{root privileges} Configure the audit log to capture Use of and changes to identification and authentication mechanisms—including but not limited to creation of new accounts and elevation of privileges—and all changes, additions, or deletions to accounts with root or administrative privileges 10.2.5] | System hardening through configuration management | Log Management | |
| Configure the log to capture all access to the audit trail. CC ID 00646 [Configure the audit log to capture Access to all audit trails 10.2.3] | System hardening through configuration management | Log Management | |
| Configure the log to capture Object access to key directories or key files. CC ID 01697 | System hardening through configuration management | Log Management | |
| Configure the log to capture system level object creation and deletion. CC ID 00650 [Configure the audit log to capture Creation and deletion of system-level objects 10.2.7] | System hardening through configuration management | Log Management | |
| Configure the log to capture changes to User privileges, audit policies, and trust policies by enabling audit policy changes. CC ID 01698 [{root privileges} Configure the audit log to capture Use of and changes to identification and authentication mechanisms—including but not limited to creation of new accounts and elevation of privileges—and all changes, additions, or deletions to accounts with root or administrative privileges 10.2.5] | System hardening through configuration management | Log Management | |
| Configure security and protection software to check for up-to-date signature files. CC ID 00576 [Ensure that all anti-virus mechanisms are maintained as follows: - Are kept current, - Perform periodic scans - Generate audit logs which are retained per PCI DSS Requirement 10.7. 5.2 Ensure that anti-virus programs are capable of detecting, removing, and protecting against all known types of e="background-color:#F0BBBC;" class="term_primary-noun">malicious software. 5.1.1] | System hardening through configuration management | Testing | |
| Define each system's preservation requirements for records and logs. CC ID 00904 | Records management | Establish/Maintain Documentation | |
| Destroy electronic storage media following the storage media disposition and destruction procedures. CC ID 00970 [Destroy media when it is no longer needed for business or legal reasons as follows: 9.8 Render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed. 9.8.2] | Records management | Testing | |
| Maintain media sanitization equipment in operational condition. CC ID 00721 | Records management | Testing | |
| Supervise and monitor outsourced development projects. CC ID 01096 | Systems design, build, and implementation | Monitor and Evaluate Occurrences | |
| Include anti-tamper technologies and anti-tamper techniques in the system design specification. CC ID 10639 | Systems design, build, and implementation | Monitor and Evaluate Occurrences | |
| Audit all modifications to the application being developed. CC ID 01614 | Systems design, build, and implementation | Testing | |
| Conduct a design review at each milestone or quality gate. CC ID 01087 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Reassess the system design after the product has been tested. CC ID 01088 | Systems design, build, and implementation | Testing | |
| Document the results of the source code analysis. CC ID 14310 | Systems design, build, and implementation | Process or Activity | |
| Monitor the development environment for when malicious code is discovered. CC ID 06396 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Perform Quality Management on all newly developed or modified systems. CC ID 01100 | Systems design, build, and implementation | Testing | |
| Restrict production data from being used in the test environment. CC ID 01103 [The change control processes must include Production data (live PANs) are not used for testing or development 6.4.3] | Systems design, build, and implementation | Testing | |
| Review and test custom code to identify potential coding vulnerabilities. CC ID 01316 [{assign}{correct} Review custom code prior to release to production or customers in order to identify any potential coding vulnerability (using either manual or automated processes) to include at least the following: - Code changes are reviewed by individuals other than the originating code author, and by individuals knowledgeable about code-review techniques and secure coding practices. - Code reviews ensure code is developed according to secure coding guidelines - Appropriate corrections are implemented prior to release. - Code-review results are reviewed and approved by management prior to release. 6.3.2] | Systems design, build, and implementation | Testing | |
| Review and test source code. CC ID 01086 | Systems design, build, and implementation | Testing | |
| Approve all custom code test results before code is released. CC ID 06293 [{assign}{correct} Review custom code prior to release to production or customers in order to identify any potential coding vulnerability (using either manual or automated processes) to include at least the following: - Code changes are reviewed by individuals other than the originating code author, and by individuals knowledgeable about code-review techniques and secure coding practices. - Code reviews ensure code is developed according to secure coding guidelines - Appropriate corrections are implemented prior to release. - Code-review results are reviewed and approved by management prior to release. 6.3.2] | Systems design, build, and implementation | Testing | |
| Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 [Do not store the full contents of any track (from the magnetic stripe located on the back of a card, equivalent data contained on a chip, or elsewhere) after authorization. This data is alternatively called full track, track, track 1, track 2, and magnetic-stripe data. 3.2.1] | Privacy protection for information and data | Testing | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Third Party and supply chain oversight | Process or Activity | |
| Include a termination provision clause in third party contracts. CC ID 01367 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include third party requirements for personnel security in third party contracts. CC ID 00790 | Third Party and supply chain oversight | Testing | |
| Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 [Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment. 12.8.2 Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment. 12.9] | Third Party and supply chain oversight | Testing | |
| Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 | Third Party and supply chain oversight | Testing | |
| Establish the third party's service continuity. CC ID 00797 | Third Party and supply chain oversight | Testing | |
| Determine the adequacy of a third party's alternate site preparations. CC ID 06879 | Third Party and supply chain oversight | Testing | |
| Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 [Ensure that each entity only runs processes that have access to that entity’s cardholder data environment. A.1.1] | Third Party and supply chain oversight | Data and Information Management | |
| Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 | Third Party and supply chain oversight | Testing | |
| Document supply chain dependencies in the supply chain management program. CC ID 08900 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Monitor and report on the efficacy of all Service Level Agreements using a Service Level Agreement Monitoring Chart or equivalent. CC ID 00842 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Approve all Service Level Agreements. CC ID 00843 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Track all chargeable items in Service Level Agreements. CC ID 11616 | Third Party and supply chain oversight | Business Processes | |
| Document all chargeable items in Service Level Agreements. CC ID 00844 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Perform risk assessments of third parties, as necessary. CC ID 06454 [Ensure there is an established process for engaging service providers including proper due diligence prior to engagement. 12.8.3] | Third Party and supply chain oversight | Testing | |
| Re-evaluate risk assessments of third parties, as necessary. CC ID 12158 | Third Party and supply chain oversight | Audits and Risk Management | |
| Assess third parties' compliance environment during due diligence. CC ID 13134 | Third Party and supply chain oversight | Process or Activity | |
| Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888 [Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity. 12.8.5] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Technical security CC ID 00508 | Technical security | IT Impact Zone | |
| Physical and environmental protection CC ID 00709 | Physical and environmental protection | IT Impact Zone | |
| Operational and Systems Continuity CC ID 00731 | Operational and Systems Continuity | IT Impact Zone | |
| Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| System hardening through configuration management CC ID 00860 | System hardening through configuration management | IT Impact Zone | |
| Records management CC ID 00902 | Records management | IT Impact Zone | |
| Systems design, build, and implementation CC ID 00989 | Systems design, build, and implementation | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Preventive | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Analyze organizational objectives, functions, and activities. CC ID 00598 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain an audit and accountability policy. CC ID 14035 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include compliance requirements in the audit and accountability policy. CC ID 14103 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include coordination amongst entities in the audit and accountability policy. CC ID 14102 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the purpose in the audit and accountability policy. CC ID 14100 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include roles and responsibilities in the audit and accountability policy. CC ID 14098 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include management commitment in the audit and accountability policy. CC ID 14097 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the scope in the audit and accountability policy. CC ID 14096 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the audit and accountability policy to interested personnel and affected parties. CC ID 14095 | Monitoring and measurement | Communicate | |
| Establish, implement, and maintain audit and accountability procedures. CC ID 14057 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the audit and accountability procedures to interested personnel and affected parties. CC ID 14137 | Monitoring and measurement | Communicate | |
| Enable monitoring and logging operations on all assets that meet the organizational criteria to maintain event logs. CC ID 06312 | Monitoring and measurement | Log Management | |
| Review and approve the use of continuous security management systems. CC ID 13181 | Monitoring and measurement | Process or Activity | |
| Protect continuous security management systems from unauthorized use. CC ID 13097 | Monitoring and measurement | Configuration | |
| Establish, implement, and maintain an intrusion detection and prevention program. CC ID 15211 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain intrusion management operations. CC ID 00580 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain an intrusion detection and prevention policy. CC ID 15169 | Monitoring and measurement | Establish/Maintain Documentation | |
| Install and maintain an Intrusion Detection System and/or Intrusion Prevention System. CC ID 00581 [{intrusion-detection technique} {keep up to date} Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises. Keep all intrusion-detection and prevention engines, baselines, and signatures up to date. 11.4] | Monitoring and measurement | Configuration | |
| Protect each person's right to privacy and civil liberties during intrusion management operations. CC ID 10035 | Monitoring and measurement | Behavior | |
| Do not intercept communications of any kind when providing a service to clients. CC ID 09985 | Monitoring and measurement | Behavior | |
| Monitor systems for unauthorized data transfers. CC ID 12971 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Address operational anomalies within the incident management system. CC ID 11633 | Monitoring and measurement | Audits and Risk Management | |
| Incorporate an Identity Theft Prevention Program into the organization's incident management system. CC ID 11634 | Monitoring and measurement | Audits and Risk Management | |
| Monitor systems for unauthorized mobile code. CC ID 10034 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Update the intrusion detection capabilities and the incident response capabilities regularly. CC ID 04653 [{intrusion-detection technique} {keep up to date} Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises. Keep all intrusion-detection and prevention engines, baselines, and signatures up to date. 11.4] | Monitoring and measurement | Technical Security | |
| Implement honeyclients to proactively seek for malicious websites and malicious code. CC ID 10658 | Monitoring and measurement | Technical Security | |
| Implement detonation chambers, where appropriate. CC ID 10670 | Monitoring and measurement | Technical Security | |
| Define and assign log management roles and responsibilities. CC ID 06311 | Monitoring and measurement | Establish Roles | |
| Document and communicate the log locations to the owning entity. CC ID 12047 | Monitoring and measurement | Log Management | |
| Make logs available for review by the owning entity. CC ID 12046 | Monitoring and measurement | Log Management | |
| Establish, implement, and maintain an event logging policy. CC ID 15217 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the system components that generate audit records in the event logging procedures. CC ID 16426 | Monitoring and measurement | Data and Information Management | |
| Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643 | Monitoring and measurement | Log Management | |
| Protect the event logs from failure. CC ID 06290 | Monitoring and measurement | Log Management | |
| Overwrite the oldest records when audit logging fails. CC ID 14308 | Monitoring and measurement | Data and Information Management | |
| Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427 | Monitoring and measurement | Testing | |
| Include identity information of suspects in the suspicious activity report. CC ID 16648 | Monitoring and measurement | Establish/Maintain Documentation | |
| Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424 | Monitoring and measurement | Audits and Risk Management | |
| Reproduce the event log if a log failure is captured. CC ID 01426 | Monitoring and measurement | Log Management | |
| Document the event information to be logged in the event information log specification. CC ID 00639 | Monitoring and measurement | Configuration | |
| Enable the logging capability to capture enough information to ensure the system is functioning according to its intended purpose throughout its life cycle. CC ID 15001 | Monitoring and measurement | Configuration | |
| Enable and configure logging on all network access controls. CC ID 01963 | Monitoring and measurement | Configuration | |
| Synchronize system clocks to an accurate and universal time source on all devices. CC ID 01340 [Using time-synchronization technology, synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distributing, and storing time. 10.4 Use time-synchronization technology to ensure Critical systems have the correct and consistent time. 10.4.1] | Monitoring and measurement | Configuration | |
| Centralize network time servers to as few as practical. CC ID 06308 | Monitoring and measurement | Configuration | |
| Disseminate and communicate information to customers about clock synchronization methods used by the organization. CC ID 13044 | Monitoring and measurement | Communicate | |
| Define the frequency to capture and log events. CC ID 06313 | Monitoring and measurement | Log Management | |
| Include logging frequencies in the event logging procedures. CC ID 00642 | Monitoring and measurement | Log Management | |
| Review and update the list of auditable events in the event logging procedures. CC ID 10097 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate monitoring capabilities with interested personnel and affected parties. CC ID 13156 | Monitoring and measurement | Communicate | |
| Disseminate and communicate statistics on resource usage with interested personnel and affected parties. CC ID 13155 | Monitoring and measurement | Communicate | |
| Establish, implement, and maintain network monitoring operations. CC ID 16444 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Monitor for software configurations updates absent authorization. CC ID 10676 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Allow expected changes during file integrity monitoring. CC ID 12090 | Monitoring and measurement | Technical Security | |
| Monitor for when documents are being updated absent authorization. CC ID 10677 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Include a change history and identify who made the changes in the file integrity monitoring report. CC ID 12091 | Monitoring and measurement | Establish/Maintain Documentation | |
| Alert interested personnel and affected parties when an unauthorized modification to critical files is detected. CC ID 12045 | Monitoring and measurement | Process or Activity | |
| Develop and maintain a usage profile for each user account. CC ID 07067 | Monitoring and measurement | Technical Security | |
| Establish, implement, and maintain a risk monitoring program. CC ID 00658 | Monitoring and measurement | Establish/Maintain Documentation | |
| Monitor the organization's exposure to threats, as necessary. CC ID 06494 [Implement a methodology for penetration testing that includes the following: - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes testing to validate any segmentation and scope-reduction controls - Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 - Defines network-layer penetration tests to include components that support network functions as well as operating systems - Includes review and consideration of threats and vulnerabilities experienced in the last 12 months - Specifies retention of penetration testing results and remediation activities results. 11.3] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Monitor for new vulnerabilities. CC ID 06843 [Implement a methodology for penetration testing that includes the following: - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes testing to validate any segmentation and scope-reduction controls - Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 - Defines network-layer penetration tests to include components that support network functions as well as operating systems - Includes review and consideration of threats and vulnerabilities experienced in the last 12 months - Specifies retention of penetration testing results and remediation activities results. 11.3] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain a testing program. CC ID 00654 [{make known} Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties. 11.6 {make known} Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties. 11.6] | Monitoring and measurement | Behavior | |
| Establish, implement, and maintain a security assessment and authorization policy. CC ID 14031 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish and maintain a scoring method for Red Team exercise results. CC ID 12136 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include coordination amongst entities in the security assessment and authorization policy. CC ID 14222 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the scope in the security assessment and authorization policy. CC ID 14220 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the purpose in the security assessment and authorization policy. CC ID 14219 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the security assessment and authorization policy to interested personnel and affected parties. CC ID 14218 | Monitoring and measurement | Communicate | |
| Include management commitment in the security assessment and authorization policy. CC ID 14189 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include compliance requirements in the security assessment and authorization policy. CC ID 14183 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include roles and responsibilities in the security assessment and authorization policy. CC ID 14179 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain security assessment and authorization procedures. CC ID 14056 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate security assessment and authorization procedures to interested personnel and affected parties. CC ID 14224 | Monitoring and measurement | Communicate | |
| Employ third parties to carry out testing programs, as necessary. CC ID 13178 | Monitoring and measurement | Human Resources Management | |
| Document improvement actions based on test results and exercises. CC ID 16840 | Monitoring and measurement | Establish/Maintain Documentation | |
| Define the test requirements for each testing program. CC ID 13177 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include test requirements for the use of human subjects in the testing program. CC ID 16222 | Monitoring and measurement | Testing | |
| Test the in scope system in accordance with its intended purpose. CC ID 14961 | Monitoring and measurement | Testing | |
| Perform network testing in accordance with organizational standards. CC ID 16448 | Monitoring and measurement | Testing | |
| Test user accounts in accordance with organizational standards. CC ID 16421 | Monitoring and measurement | Testing | |
| Include mechanisms for emergency stops in the testing program. CC ID 14398 | Monitoring and measurement | Establish/Maintain Documentation | |
| Document the business need justification for authorized wireless access points. CC ID 12044 | Monitoring and measurement | Establish/Maintain Documentation | |
| Deny network access to rogue devices until network access approval has been received. CC ID 11852 | Monitoring and measurement | Configuration | |
| Establish, implement, and maintain conformity assessment procedures. CC ID 15032 | Monitoring and measurement | Establish/Maintain Documentation | |
| Share conformity assessment results with affected parties and interested personnel. CC ID 15113 | Monitoring and measurement | Communicate | |
| Notify affected parties and interested personnel of technical documentation assessment certificates that have been issued. CC ID 15112 | Monitoring and measurement | Communicate | |
| Notify affected parties and interested personnel of technical documentation assessment certificates that have been refused, withdrawn, suspended or restricted. CC ID 15111 | Monitoring and measurement | Communicate | |
| Create technical documentation assessment certificates in an official language. CC ID 15110 | Monitoring and measurement | Establish/Maintain Documentation | |
| Opt out of third party conformity assessments when the system meets harmonized standards. CC ID 15096 | Monitoring and measurement | Testing | |
| Define the test frequency for each testing program. CC ID 13176 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a stress test program for identification cards or badges. CC ID 15424 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a penetration test program. CC ID 01105 | Monitoring and measurement | Behavior | |
| Disseminate and communicate the testing program to all interested personnel and affected parties. CC ID 11871 [{make known} Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties. 11.6] | Monitoring and measurement | Communicate | |
| Align the penetration test program with industry standards. CC ID 12469 [Implement a methodology for penetration testing that includes the following: - Is based on BC;" class="term_primary-noun">industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes testing to validate any segmentation and scope-reduction controls - Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 - Defines network-layer penetration tests to include components that support network functions as well as operating systems - Includes review and consideration of threats and vulnerabilities experienced in the last 12 months - Specifies retention of penetration testing results and remediation activities results. 11.3] | Monitoring and measurement | Establish/Maintain Documentation | |
| Assign penetration testing to a qualified internal resource or external third party. CC ID 06429 | Monitoring and measurement | Establish Roles | |
| Establish, implement, and maintain a penetration testing methodology that validates scope-reduction controls through network segmentation. CC ID 11958 [Implement a methodology for penetration testing that includes the following: - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes testing to validate any segmentation and scope-reduction controls - Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 - Defines network-layer penetration tests to include components that support network functions as well as operating systems - Includes review and consideration of threats and vulnerabilities experienced in the last 12 months - Specifies retention of penetration testing results and remediation activities results. 11.3] | Monitoring and measurement | Testing | |
| Retain penetration test results according to internal policy. CC ID 10049 [Implement a methodology for penetration testing that includes the following: - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes testing to validate any segmentation and scope-reduction controls - Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 - Defines network-layer penetration tests to include components that support network functions as well as operating systems - Includes review and consideration of threats and vulnerabilities experienced in the last 12 months - Specifies retention of penetration testing results and remediation activities results. 11.3] | Monitoring and measurement | Records Management | |
| Retain penetration test remediation action records according to internal policy. CC ID 11629 [Implement a methodology for penetration testing that includes the following: - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes testing to validate any segmentation and scope-reduction controls - Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 - Defines network-layer penetration tests to include components that support network functions as well as operating systems - Includes review and consideration of threats and vulnerabilities experienced in the last 12 months - Specifies retention of penetration testing results and remediation activities results. 11.3] | Monitoring and measurement | Records Management | |
| Ensure protocols are free from injection flaws. CC ID 16401 | Monitoring and measurement | Process or Activity | |
| Establish, implement, and maintain a business line testing strategy. CC ID 13245 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include facilities in the business line testing strategy. CC ID 13253 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include electrical systems in the business line testing strategy. CC ID 13251 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include mechanical systems in the business line testing strategy. CC ID 13250 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include Heating Ventilation and Air Conditioning systems in the business line testing strategy. CC ID 13248 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include emergency power supplies in the business line testing strategy. CC ID 13247 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include environmental controls in the business line testing strategy. CC ID 13246 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a vulnerability management program. CC ID 15721 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a vulnerability assessment program. CC ID 11636 | Monitoring and measurement | Establish/Maintain Documentation | |
| Use dedicated user accounts when conducting vulnerability scans. CC ID 12098 | Monitoring and measurement | Technical Security | |
| Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the vulnerability scan results to interested personnel and affected parties. CC ID 16418 | Monitoring and measurement | Communicate | |
| Maintain vulnerability scan reports as organizational records. CC ID 12092 | Monitoring and measurement | Records Management | |
| Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467 [Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) s="term_secondary-verb">approved by the Payment Card Industry Security Standards Council (PCI SSC). Perform rescans as needed, until passing scans are achieved. 11.2.2] | Monitoring and measurement | Business Processes | |
| Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039 | Monitoring and measurement | Testing | |
| Approve the vulnerability management program. CC ID 15722 | Monitoring and measurement | Process or Activity | |
| Assign ownership of the vulnerability management program to the appropriate role. CC ID 15723 | Monitoring and measurement | Establish Roles | |
| Perform penetration tests and vulnerability scans in concert, as necessary. CC ID 12111 | Monitoring and measurement | Technical Security | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 [{make known} Ensure that security policies and operational procedures for monitoring all access to network resources and cardholder data are documented, in use, and known to all affected parties. 10.8] | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a metrics policy. CC ID 01654 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain risk management metrics. CC ID 01656 | Monitoring and measurement | Establish/Maintain Documentation | |
| Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866 | Monitoring and measurement | Business Processes | |
| Identify information being used to support performance reviews for risk optimization. CC ID 12865 | Monitoring and measurement | Audits and Risk Management | |
| Identify and document instances of non-compliance with the compliance framework. CC ID 06499 | Monitoring and measurement | Establish/Maintain Documentation | |
| Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 | Monitoring and measurement | Establish/Maintain Documentation | |
| Align disciplinary actions with the level of compliance violation. CC ID 12404 | Monitoring and measurement | Human Resources Management | |
| Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a copy of the order in the disciplinary action notice. CC ID 16606 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 | Monitoring and measurement | Communicate | |
| Include required information in the disciplinary action notice. CC ID 16584 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the investigation results in the disciplinary action notice. CC ID 16581 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include contact information in the disciplinary action notice. CC ID 16578 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain compliance program metrics. CC ID 11625 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain a security program metrics program. CC ID 01660 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a key management roles metrics standard. CC ID 11631 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a key stakeholder metrics program. CC ID 01661 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a supply chain member metrics program. CC ID 01662 | Monitoring and measurement | Establish/Maintain Documentation | |
| Report on the Service Level Agreement performance of supply chain members. CC ID 06838 | Monitoring and measurement | Actionable Reports or Measurements | |
| Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain an audit metrics program. CC ID 01664 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain an Information Security metrics program. CC ID 01665 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a metrics standard and template. CC ID 02157 | Monitoring and measurement | Establish/Maintain Documentation | |
| Monitor compliance with the Quality Control system. CC ID 01023 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of complaints received about products or delivered services. CC ID 07199 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of Quality Assurance attained by Quality Improvement practices. CC ID 07202 | Monitoring and measurement | Actionable Reports or Measurements | |
| Establish, implement, and maintain occupational health and safety management metrics program. CC ID 15915 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a policies and controls metrics program. CC ID 01666 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a security roles and responsibilities metrics program. CC ID 01667 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a role-based information access metrics program. CC ID 01668 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain an information risk threshold metrics program. CC ID 01694 | Monitoring and measurement | Establish/Maintain Documentation | |
| Monitor the supply chain for Information Assurance effectiveness. CC ID 02043 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain an identification and classification of information assets metrics program. CC ID 02052 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a physical environment metrics program. CC ID 02063 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a privacy metrics program. CC ID 15494 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain environmental management system performance metrics. CC ID 15191 | Monitoring and measurement | Actionable Reports or Measurements | |
| Establish, implement, and maintain waste management metrics. CC ID 16152 | Monitoring and measurement | Actionable Reports or Measurements | |
| Establish, implement, and maintain emissions management metrics. CC ID 16145 | Monitoring and measurement | Actionable Reports or Measurements | |
| Establish, implement, and maintain financial management metrics. CC ID 16749 | Monitoring and measurement | Actionable Reports or Measurements | |
| Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a user identification and authentication metrics program. CC ID 02073 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a user account management metrics program. CC ID 02075 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a user and administrator privilege management metrics program. CC ID 02076 | Monitoring and measurement | Actionable Reports or Measurements | |
| Establish, implement, and maintain a Configuration Management metrics program. CC ID 02077 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a Security Information and Event Management metrics program. CC ID 02078 | Monitoring and measurement | Log Management | |
| Establish, implement, and maintain a communications, e-mail, and remote access security management metrics program. CC ID 02079 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a malicious code protection management metrics program. CC ID 02080 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a software change management metrics program. CC ID 02081 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a network management and firewall management metrics program. CC ID 02082 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a data encryption management metrics program. CC ID 02083 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a backup management and recovery management metrics program. CC ID 02084 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 | Monitoring and measurement | Business Processes | |
| Delay the reporting of incident management metrics, as necessary. CC ID 15501 | Monitoring and measurement | Communicate | |
| Establish, implement, and maintain an Electronic Health Records measurement metrics program. CC ID 06221 | Monitoring and measurement | Establish/Maintain Documentation | |
| Report on the percentage of unique patients who had at least one medication entered using the Computerized Provider Order Entry system. CC ID 06222 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of unique patients who have diagnoses recorded as structured data into the current and active diagnoses problem list. CC ID 06223 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of permissible prescriptions that are transmitted electronically. CC ID 06224 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication list. CC ID 06225 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication allergy list. CC ID 06226 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of unique patients who have demographics recorded as structured data. CC ID 06227 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of unique patients over the age of 2 who have their height, weight, and blood pressure recorded as structured data. CC ID 06228 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of unique patients over the age of 13 who have their smoking status recorded as structured data. CC ID 06229 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of patients who are given an electronic copy of their Individually Identifiable Health Information not later than three business days after Individually Identifiable Health Information is requested. CC ID 06230 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of patients who are given clinical summaries not later than three business days after a physician office visit. CC ID 06231 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of lab test results that are incorporated into the Electronic Health Records as structured data. CC ID 06232 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of patients sixty-five years of age or older or five years of age or younger who were sent a reminder. CC ID 06233 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of unique patients who are given electronic access to their Individually Identifiable Health Information not later than four business days after their Individually Identifiable Health Information is updated. CC ID 06234 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of unique patients who are given patient-specific education resources. CC ID 06235 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of medication reconciliations that are performed if a patient is received from another setting or healthcare provider. CC ID 06236 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of summary of care records that are provided for transitions of care or referrals for patients who are transitioned or referred to another setting or healthcare provider. CC ID 06237 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of patients who receive their discharge instructions if discharge instructions are requested. CC ID 06238 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of patients 65 years of age or older who have an indication of advance directive status recorded as structured data. CC ID 06239 | Monitoring and measurement | Actionable Reports or Measurements | |
| Establish, implement, and maintain a log management program. CC ID 00673 | Monitoring and measurement | Establish/Maintain Documentation | |
| Deploy log normalization tools, as necessary. CC ID 12141 | Monitoring and measurement | Technical Security | |
| Restrict access to logs to authorized individuals. CC ID 01342 | Monitoring and measurement | Log Management | |
| Restrict access to audit trails to a need to know basis. CC ID 11641 [Limit viewing of audit trails to those with a job-related need. 10.5.1] | Monitoring and measurement | Technical Security | |
| Refrain from recording unnecessary restricted data in logs. CC ID 06318 | Monitoring and measurement | Log Management | |
| Back up audit trails according to backup procedures. CC ID 11642 [Promptly back up audit trail files to a centralized log server or media that is difficult to alter. 10.5.3] | Monitoring and measurement | Systems Continuity | |
| Back up logs according to backup procedures. CC ID 01344 | Monitoring and measurement | Log Management | |
| Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346 [Write logs for external-facing technologies onto a secure, centralized, internal log server or media device. 10.5.4] | Monitoring and measurement | Log Management | |
| Identify hosts with logs that are not being stored. CC ID 06314 | Monitoring and measurement | Log Management | |
| Identify hosts with logs that are being stored at the system level only. CC ID 06315 | Monitoring and measurement | Log Management | |
| Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316 | Monitoring and measurement | Log Management | |
| Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317 | Monitoring and measurement | Log Management | |
| Protect logs from unauthorized activity. CC ID 01345 [Secure audit trails so they cannot be altered. 10.5 Protect audit trail files from unauthorized modifications. 10.5.2] | Monitoring and measurement | Log Management | |
| Perform testing and validating activities on all logs. CC ID 06322 | Monitoring and measurement | Log Management | |
| Archive the audit trail in accordance with compliance requirements. CC ID 00674 [Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup). 10.7] | Monitoring and measurement | Log Management | |
| Enforce dual authorization as a part of information flow control for logs. CC ID 10098 | Monitoring and measurement | Configuration | |
| Preserve the identity of individuals in audit trails. CC ID 10594 | Monitoring and measurement | Log Management | |
| Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 | Monitoring and measurement | Establish/Maintain Documentation | |
| Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 | Monitoring and measurement | Audits and Risk Management | |
| Establish, implement, and maintain a risk management program. CC ID 12051 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain risk assessment procedures. CC ID 06446 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 | Audits and risk management | Establish/Maintain Documentation | |
| Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 [Implement a risk-assessment process that: - Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.), - Identifies critical assets, threats, and vulnerabilities, and - Results in a formal, documented analysis of risk. 12.2 Implement a risk-assessment process that: - Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.), - Identifies critical assets, threats, and vulnerabilities, and - Results in a formal, documented analysis of risk. 12.2] | Audits and risk management | Technical Security | |
| Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 [Implement a risk-assessment process that: - Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.), - Identifies critical assets, threats, and vulnerabilities, and - Results in a formal, documented analysis of risk. 12.2] | Audits and risk management | Audits and Risk Management | |
| Perform risk assessments for all target environments, as necessary. CC ID 06452 [Implement a risk-assessment process that: - Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.), - Identifies critical assets, threats, and vulnerabilities, and - Results in a formal, documented analysis of risk. 12.2] | Audits and risk management | Testing | |
| Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 | Audits and risk management | Establish/Maintain Documentation | |
| Include physical assets in the scope of the risk assessment. CC ID 13075 | Audits and risk management | Establish/Maintain Documentation | |
| Include the results of the risk assessment in the risk assessment report. CC ID 06481 [Implement a risk-assessment process that: - Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.), - Identifies critical assets, threats, and vulnerabilities, and - Results in a formal, documented analysis of risk. 12.2] | Audits and risk management | Establish/Maintain Documentation | |
| Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 | Audits and risk management | Audits and Risk Management | |
| Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 | Audits and risk management | Audits and Risk Management | |
| Review the risk to the audit function when the audit personnel status changes. CC ID 01153 | Audits and risk management | Audits and Risk Management | |
| Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 | Audits and risk management | Establish/Maintain Documentation | |
| Create a risk assessment report based on the risk assessment results. CC ID 15695 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 | Audits and risk management | Communicate | |
| Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 | Audits and risk management | Communicate | |
| Establish, implement, and maintain an access classification scheme. CC ID 00509 | Technical security | Establish/Maintain Documentation | |
| Include restricting access to confidential data or restricted information to a need to know basis in the access classification scheme. CC ID 00510 [Limit access to system components and cardholder data to only those individuals whose job requires such access. 7.1] | Technical security | Establish/Maintain Documentation | |
| Include business security requirements in the access classification scheme. CC ID 00002 | Technical security | Establish/Maintain Documentation | |
| Interpret and apply security requirements based upon the information classification of the system. CC ID 00003 | Technical security | Establish/Maintain Documentation | |
| Include third party access in the access classification scheme. CC ID 11786 [Restrict each entity’s access and privileges to its own cardholder data environment only. A.1.2] | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain an access control program. CC ID 11702 [{make known} Ensure that security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties. 7.3 Document and communicate authentication policies and procedures to all users including: - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials - Instructions not to reuse previously used passwords - Instructions to change passwords if there is any suspicion the password could be compromised. 8.4] | Technical security | Establish/Maintain Documentation | |
| Include instructions to change authenticators as often as necessary in the access control program. CC ID 11931 [Document and communicate authentication policies and procedures to all users including: - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials - Instructions not to reuse previously used passwords - Instructions to change passwords if there is any suspicion the password could be compromised. 8.4] | Technical security | Establish/Maintain Documentation | |
| Include guidance for how users should protect their authentication credentials in the access control program. CC ID 11929 [Document and communicate authentication policies and procedures to all users including: - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials - Instructions not to reuse previously used passwords - Instructions to change passwords if there is any suspicion the password could be compromised. 8.4] | Technical security | Establish/Maintain Documentation | |
| Include guidance on selecting authentication credentials in the access control program. CC ID 11928 [Document and communicate authentication policies and procedures to all users including: - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials - Instructions not to reuse previously used passwords - Instructions to change passwords if there is any suspicion the password could be compromised. 8.4] | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain access control policies. CC ID 00512 | Technical security | Establish/Maintain Documentation | |
| Include compliance requirements in the access control policy. CC ID 14006 | Technical security | Establish/Maintain Documentation | |
| Include coordination amongst entities in the access control policy. CC ID 14005 | Technical security | Establish/Maintain Documentation | |
| Include management commitment in the access control policy. CC ID 14004 | Technical security | Establish/Maintain Documentation | |
| Include roles and responsibilities in the access control policy. CC ID 14003 | Technical security | Establish/Maintain Documentation | |
| Include the scope in the access control policy. CC ID 14002 | Technical security | Establish/Maintain Documentation | |
| Include the purpose in the access control policy. CC ID 14001 | Technical security | Establish/Maintain Documentation | |
| Document the business need justification for user accounts. CC ID 15490 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain an instant messaging and chat system usage policy. CC ID 11815 | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the access control policies to all interested personnel and affected parties. CC ID 10061 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain an access rights management plan. CC ID 00513 [{make known} Ensure that security policies and operational procedures for identification and authentication are documented, in use, and known to all affected parties. 8.8 Define access needs for each role, including: - System components and data resources that each role needs to access for their job function - Level of privilege required (for example, user, administrator, etc.) for accessing resources. 7.1.1 Define and implement policies and procedures to ensure proper user identification management for non-consumer users and administrators on all system components as follows: 8.1] | Technical security | Establish/Maintain Documentation | |
| Implement safeguards to protect access credentials from unauthorized access. CC ID 16433 | Technical security | Technical Security | |
| Inventory all user accounts. CC ID 13732 | Technical security | Establish/Maintain Documentation | |
| Establish and maintain contact information for user accounts, as necessary. CC ID 15418 | Technical security | Data and Information Management | |
| Control access rights to organizational assets. CC ID 00004 | Technical security | Technical Security | |
| Configure access control lists in accordance with organizational standards. CC ID 16465 | Technical security | Configuration | |
| Add all devices requiring access control to the Access Control List. CC ID 06264 | Technical security | Establish/Maintain Documentation | |
| Generate but refrain from storing authenticators or Personal Identification Numbers for systems involved in high risk activities. CC ID 06835 | Technical security | Technical Security | |
| Define roles for information systems. CC ID 12454 | Technical security | Human Resources Management | |
| Define access needs for each role assigned to an information system. CC ID 12455 | Technical security | Human Resources Management | |
| Define access needs for each system component of an information system. CC ID 12456 | Technical security | Technical Security | |
| Define the level of privilege required for each system component of an information system. CC ID 12457 | Technical security | Technical Security | |
| Establish access rights based on least privilege. CC ID 01411 | Technical security | Technical Security | |
| Assign user permissions based on job responsibilities. CC ID 00538 [{job function} {user privilege} Assign access based on individual personnel’s job classification and function. 7.1.3 Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities. 7.1.2 {job function} The access control system must include Assignment of privileges to individuals based on job classification and function. 7.2.2] | Technical security | Technical Security | |
| Assign user privileges after they have management sign off. CC ID 00542 [Require documented approval by authorized parties specifying required privileges. 7.1.4] | Technical security | Technical Security | |
| Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 | Technical security | Configuration | |
| Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412 | Technical security | Technical Security | |
| Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 | Technical security | Configuration | |
| Disallow unlocking user accounts absent system administrator approval. CC ID 01413 | Technical security | Technical Security | |
| Establish, implement, and maintain session lock capabilities. CC ID 01417 | Technical security | Configuration | |
| Limit concurrent sessions according to account type. CC ID 01416 | Technical security | Configuration | |
| Establish session authenticity through Transport Layer Security. CC ID 01627 | Technical security | Technical Security | |
| Configure the "tlsverify" argument to organizational standards. CC ID 14460 | Technical security | Configuration | |
| Configure the "tlscacert" argument to organizational standards. CC ID 14521 | Technical security | Configuration | |
| Configure the "tlscert" argument to organizational standards. CC ID 14520 | Technical security | Configuration | |
| Configure the "tlskey" argument to organizational standards. CC ID 14519 | Technical security | Configuration | |
| Enable access control for objects and users on each system. CC ID 04553 [{physical control} Where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.), use of these mechanisms must be assigned as follows: - Authentication mechanisms must be assigned to an individual account and not shared among multiple accounts. - Physical and/or logical controls must be in place to ensure only the intended account can use that mechanism to gain access. 8.6 Define access needs for each role, including: - System components and data resources that each role needs to access for their job function - Level of privilege required (for example, user, administrator, etc.) for accessing resources. 7.1.1 Identify and authenticate access to system components Requirement 8] | Technical security | Configuration | |
| Include all system components in the access control system. CC ID 11939 [The access control system must include Coverage of all system components 7.2.1] | Technical security | Technical Security | |
| Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301 [The access control system must include Default “deny-all” setting. 7.2.3 Establish an access control system for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed. 7.2] | Technical security | Process or Activity | |
| Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850 | Technical security | Technical Security | |
| Enable attribute-based access control for objects and users on information systems. CC ID 16351 | Technical security | Technical Security | |
| Enable role-based access control for objects and users on information systems. CC ID 12458 [Establish an access control system for systems components that restricts access 0E5;" class="term_secondary-verb">based</span> on a user’s need to know, and is set to “deny all” unless specifically allowed. 7.2] | Technical security | Technical Security | |
| Include the objects and users subject to access control in the security policy. CC ID 11836 | Technical security | Establish/Maintain Documentation | |
| Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 | Technical security | Establish Roles | |
| Enforce access restrictions for change control. CC ID 01428 [The change control processes must include Separate development/test environments from production environments, and enforce the separation with access controls. 6.4.1] | Technical security | Technical Security | |
| Enforce access restrictions for restricted data. CC ID 01921 | Technical security | Data and Information Management | |
| Permit a limited set of user actions absent identification and authentication. CC ID 04849 | Technical security | Technical Security | |
| Activate third party maintenance accounts and user identifiers, as necessary. CC ID 04262 [Manage IDs used by vendors to access, support, or maintain system components via remote access as follows: - Enabled only during the time period needed and disabled when not in use. - Monitored when in use. 8.1.5] | Technical security | Technical Security | |
| Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 | Technical security | Establish/Maintain Documentation | |
| Accept and sign the system use agreement before data or system access is enabled. CC ID 06501 | Technical security | Establish/Maintain Documentation | |
| Display a logon banner and appropriate logon message before granting access to the system. CC ID 06770 | Technical security | Technical Security | |
| Display previous logon information in the logon banner. CC ID 01415 | Technical security | Configuration | |
| Document actions that can be performed on an information system absent identification and authentication of the user. CC ID 06771 | Technical security | Establish/Maintain Documentation | |
| Use automatic equipment identification as a method of connection authentication absent an individual's identification and authentication. CC ID 06964 | Technical security | Technical Security | |
| Control user privileges. CC ID 11665 | Technical security | Technical Security | |
| Review all user privileges, as necessary. CC ID 06784 | Technical security | Technical Security | |
| Encrypt files and move them to a secure file server when a user account is disabled. CC ID 07065 | Technical security | Configuration | |
| Review each user's access capabilities when their role changes. CC ID 00524 | Technical security | Technical Security | |
| Change authenticators after personnel status changes. CC ID 12284 | Technical security | Human Resources Management | |
| Establish and maintain a Digital Rights Management program. CC ID 07093 | Technical security | Establish/Maintain Documentation | |
| Enable products restricted by Digital Rights Management to be used while offline. CC ID 07094 | Technical security | Technical Security | |
| Establish, implement, and maintain User Access Management procedures. CC ID 00514 | Technical security | Technical Security | |
| Establish, implement, and maintain an authority for access authorization list. CC ID 06782 | Technical security | Establish/Maintain Documentation | |
| Review and approve logical access to all assets based upon organizational policies. CC ID 06641 | Technical security | Technical Security | |
| Control the addition and modification of user identifiers, user credentials, or other authenticators. CC ID 00515 [Control addition, deletion, and modification of user IDs, credentials, and other identifier objects. 8.1.2] | Technical security | Technical Security | |
| Assign roles and responsibilities for administering user account management. CC ID 11900 [Formally assign information security responsibilities for: Administer user accounts, including additions, deletions, and modifications. 12.5.4] | Technical security | Human Resources Management | |
| Automate access control methods, as necessary. CC ID 11838 | Technical security | Technical Security | |
| Automate Access Control Systems, as necessary. CC ID 06854 | Technical security | Technical Security | |
| Refrain from storing logon credentials for third party applications. CC ID 13690 | Technical security | Technical Security | |
| Refrain from allowing user access to identifiers and authenticators used by applications. CC ID 10048 [All access to any database containing cardholder data (including access by applications, administrators, and all other users) is restricted as follows: - All user access to, user queries of, and user actions on databases are through programmatic methods. - Only database administrators have the ability to directly access or query databases. - Application IDs for database applications can only be used by the applications (and not by individual users or other non-application processes). 8.7] | Technical security | Technical Security | |
| Establish, implement, and maintain a password policy. CC ID 16346 | Technical security | Establish/Maintain Documentation | |
| Enforce the password policy. CC ID 16347 | Technical security | Technical Security | |
| Disseminate and communicate the password policies and password procedures to all users who have access to restricted data or restricted information. CC ID 00518 | Technical security | Establish/Maintain Documentation | |
| Limit superuser accounts to designated System Administrators. CC ID 06766 | Technical security | Configuration | |
| Enforce usage restrictions for superuser accounts. CC ID 07064 | Technical security | Technical Security | |
| Establish, implement, and maintain user accounts in accordance with the organizational Governance, Risk, and Compliance framework. CC ID 00526 | Technical security | Technical Security | |
| Protect and manage biometric systems and biometric data. CC ID 01261 | Technical security | Technical Security | |
| Establish, implement, and maintain biometric collection procedures. CC ID 15419 | Technical security | Establish/Maintain Documentation | |
| Document the business need justification for authentication data storage. CC ID 06325 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain access control procedures. CC ID 11663 | Technical security | Establish/Maintain Documentation | |
| Grant access to authorized personnel or systems. CC ID 12186 | Technical security | Configuration | |
| Document approving and granting access in the access control log. CC ID 06786 | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442 | Technical security | Communicate | |
| Include the user identifiers of all personnel who are authorized to access a system in the system record. CC ID 15171 | Technical security | Establish/Maintain Documentation | |
| Include identity information of all personnel who are authorized to access a system in the system record. CC ID 16406 | Technical security | Establish/Maintain Documentation | |
| Include the date and time that access was reviewed in the system record. CC ID 16416 | Technical security | Data and Information Management | |
| Include the date and time that access rights were changed in the system record. CC ID 16415 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain an identification and authentication policy. CC ID 14033 | Technical security | Establish/Maintain Documentation | |
| Include the purpose in the identification and authentication policy. CC ID 14234 | Technical security | Establish/Maintain Documentation | |
| Include the scope in the identification and authentication policy. CC ID 14232 | Technical security | Establish/Maintain Documentation | |
| Include roles and responsibilities in the identification and authentication policy. CC ID 14230 | Technical security | Establish/Maintain Documentation | |
| Include management commitment in the identification and authentication policy. CC ID 14229 | Technical security | Establish/Maintain Documentation | |
| Include coordination amongst entities in the identification and authentication policy. CC ID 14227 | Technical security | Establish/Maintain Documentation | |
| Include compliance requirements in the identification and authentication policy. CC ID 14225 | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the identification and authentication policy to interested personnel and affected parties. CC ID 14197 | Technical security | Communicate | |
| Establish, implement, and maintain identification and authentication procedures. CC ID 14053 | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the identification and authentication procedures to interested personnel and affected parties. CC ID 14223 | Technical security | Communicate | |
| Include digital identification procedures in the access control program. CC ID 11841 | Technical security | Technical Security | |
| Disseminate and communicate user identifiers and authenticators using secure communication protocols. CC ID 06791 | Technical security | Data and Information Management | |
| Include instructions to refrain from using previously used authenticators in the access control program. CC ID 11930 [Document and communicate authentication policies and procedures to all users including: - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials - Instructions not to reuse previously used passwords - Instructions to change passwords if there is any suspicion the password could be compromised. 8.4] | Technical security | Establish/Maintain Documentation | |
| Disallow the use of Personal Identification Numbers as user identifiers. CC ID 06785 | Technical security | Technical Security | |
| Define the activation requirements for identification cards or badges. CC ID 06583 | Technical security | Process or Activity | |
| Require multiple forms of personal identification prior to issuing user identifiers. CC ID 08712 | Technical security | Human Resources Management | |
| Require proper authentication for user identifiers. CC ID 11785 | Technical security | Technical Security | |
| Assign authenticators to user accounts. CC ID 06855 [In addition to assigning a unique ID, ensure proper user-authentication management for non-consumer users and administrators on all system components by employing at least one of the following methods to authenticate all users: - Something you know, such as a password or passphrase - Something you have, such as a token device or smart card - Something you are, such as a biometric. 8.2] | Technical security | Configuration | |
| Assign authentication mechanisms for user account authentication. CC ID 06856 [In addition to assigning a unique ID, ensure proper user-authentication management for non-consumer users and administrators on all system components by employing at least one of the following methods to authenticate all users: - Something you know, such as a password or passphrase - Something you have, such as a token device or smart card - Something you are, such as a biometric. 8.2] | Technical security | Configuration | |
| Refrain from allowing individuals to share authentication mechanisms. CC ID 11932 [{physical control} Where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.), use of these mechanisms must be assigned as follows: - Authentication mechanisms must be assigned to an individual account and not shared among multiple accounts. - Physical and/or logical controls must be in place to ensure only the intended account can use that mechanism to gain access. 8.6] | Technical security | Technical Security | |
| Establish and maintain a memorized secret list. CC ID 13791 | Technical security | Establish/Maintain Documentation | |
| Limit account credential reuse as a part of digital identification procedures. CC ID 12357 | Technical security | Configuration | |
| Refrain from assigning authentication mechanisms for shared accounts. CC ID 11910 | Technical security | Technical Security | |
| Use biometric authentication for identification and authentication, as necessary. CC ID 06857 [In addition to assigning a unique ID, ensure proper user-authentication management for non-consumer users and administrators on all system components by employing at least one of the following methods to authenticate all users: - Something you know, such as a password or passphrase - Something you have, such as a token device or smart card - Something you are, such as a biometric. 8.2] | Technical security | Establish Roles | |
| Employ live scans to verify biometric authentication. CC ID 06847 | Technical security | Technical Security | |
| Disallow self-enrollment of biometric information. CC ID 11834 | Technical security | Process or Activity | |
| Notify a user when an authenticator for a user account is changed. CC ID 13820 | Technical security | Communicate | |
| Identify and control all network access controls. CC ID 00529 | Technical security | Technical Security | |
| Establish, implement, and maintain a Boundary Defense program. CC ID 00544 [Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment. 1.2] | Technical security | Establish/Maintain Documentation | |
| Refrain from disclosing private Internet Protocol addresses and routing information, unless necessary. CC ID 11891 [Do not disclose private IP addresses and routing information to unauthorized parties. 1.3.8] | Technical security | Technical Security | |
| Authorize the disclosure of private Internet Protocol addresses and routing information to external entities. CC ID 12034 | Technical security | Communicate | |
| Segregate systems in accordance with organizational standards. CC ID 12546 | Technical security | Technical Security | |
| Implement gateways between security domains. CC ID 16493 | Technical security | Systems Design, Build, and Implementation | |
| Implement resource-isolation mechanisms in organizational networks. CC ID 16438 | Technical security | Technical Security | |
| Segregate servers that contain restricted data or restricted information from direct public access. CC ID 00533 [Prohibit direct public access between the Internet and any system component in the cardholder data environment. 1.3] | Technical security | Technical Security | |
| Prevent logical access to dedicated networks from outside the secure areas. CC ID 12310 | Technical security | Technical Security | |
| Design Demilitarized Zones with proper isolation rules. CC ID 00532 | Technical security | Technical Security | |
| Restrict outbound network traffic out of the Demilitarized Zone. CC ID 16881 | Technical security | Technical Security | |
| Restrict inbound network traffic into the Demilitarized Zone. CC ID 01285 [{inbound Internet traffic} Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports. 1.3.1] | Technical security | Data and Information Management | |
| Restrict inbound network traffic into the Demilitarized Zone to Internet Protocol addresses within the Demilitarized Zone. CC ID 11998 [Limit inbound Internet traffic to IP addresses within the DMZ. 1.3.2 {direct inbound connection} {direct outbound connection} Do not allow any direct connections inbound or outbound for traffic between the Internet and the cardholder data environment. 1.3.3] | Technical security | Technical Security | |
| Restrict inbound Internet traffic within the Demilitarized Zone to system components that provide publicly accessible services, protocols, and ports. CC ID 11993 | Technical security | Technical Security | |
| Segregate applications and databases that contain restricted data or restricted information in an internal network zone. CC ID 01289 [Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks. 1.3.7] | Technical security | Data and Information Management | |
| Establish, implement, and maintain a network access control standard. CC ID 00546 | Technical security | Establish/Maintain Documentation | |
| Include assigned roles and responsibilities in the network access control standard. CC ID 06410 [Include in the firewall and router configuration standard a Description of groups, roles, and responsibilities for management of network components. 1.1.5] | Technical security | Establish Roles | |
| Employ firewalls to secure network connections between networks of different security categorizations. CC ID 16373 | Technical security | Technical Security | |
| Employ firewalls to secure network connections between trusted networks and untrusted networks, as necessary. CC ID 11821 | Technical security | Technical Security | |
| Place firewalls between all security domains and between any Demilitarized Zone and internal network zones. CC ID 01274 | Technical security | Configuration | |
| Place firewalls between wireless networks and applications or databases that contain restricted data or restricted information. CC ID 01293 [Install perimeter firewalls between all wireless networks and the cardholder data environment, and configure these firewalls to deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment. 1.2.3] | Technical security | Configuration | |
| Place firewalls between all security domains and between any secure subnet and internal network zones. CC ID 11784 | Technical security | Configuration | |
| Separate the wireless access points and wireless bridges from the wired network via a firewall. CC ID 04588 | Technical security | Technical Security | |
| Include configuration management and rulesets in the network access control standard. CC ID 11845 [Establish and implement firewall and router configuration standards that include the following: 1.1] | Technical security | Establish/Maintain Documentation | |
| Secure the network access control standard against unauthorized changes. CC ID 11920 | Technical security | Establish/Maintain Documentation | |
| Employ centralized management systems to configure and control networks, as necessary. CC ID 12540 | Technical security | Technical Security | |
| Establish, implement, and maintain a firewall and router configuration standard. CC ID 00541 [{make known} Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties. 1.5] | Technical security | Configuration | |
| Include compensating controls implemented for insecure protocols in the firewall and router configuration standard. CC ID 11948 [Include in the firewall and router configuration standard Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure. 1.1.6 Implement additional security features for any required services, protocols, or daemons that are considered to und-color:#CBD0E5;" class="term_secondary-verb">be insecure—for example, use secured technologies such as SSH, S-FTP, TLS, or IPSec VPN to protect insecure services such as NetBIOS, file-sharing, Telnet, FTP, etc. 2.2.3] | Technical security | Establish/Maintain Documentation | |
| Include restricting inbound network traffic in the firewall and router configuration standard. CC ID 11960 [{inbound Internet traffic} {outbound network traffic} Include in the firewall and router configuration standard: Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic. 1.2.1] | Technical security | Establish/Maintain Documentation | |
| Include restricting outbound network traffic in the firewall and router configuration standard. CC ID 11961 [{inbound Internet traffic} {outbound network traffic} Include in the firewall and router configuration standard: Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic. 1.2.1] | Technical security | Establish/Maintain Documentation | |
| Include requirements for a firewall at each Internet connection and between any demilitarized zone and the internal network zone in the firewall and router configuration standard. CC ID 12435 [Include in the firewall and router configuration standard Requirements for a firewall at each Internet connection and between any F0BBBC;" class="term_primary-noun">demilitarized zonespan> (DMZ) and the internal network zone. 1.1.4] | Technical security | Establish/Maintain Documentation | |
| Include network diagrams that identify connections between all subnets and wireless networks in the firewall and router configuration standard. CC ID 12434 [Include in the firewall and router configuration standard Current network diagram that identifies all s="term_primary-noun">connections between the cardholder data environment and other networks, including any or:#CBD0E5;" class="term_secondary-verb">-noun">wireless networks. 1.1.2] | Technical security | Establish/Maintain Documentation | |
| Include network diagrams that identify storage or processing locations of all restricted data in the firewall and router configuration standard. CC ID 12426 [Include in the firewall and router configuration standard Current diagram that shows all cardholder data flows across systems and networks. 1.1.3] | Technical security | Establish/Maintain Documentation | |
| Deny or strictly control wireless traffic to applications or databases that contain restricted data or restricted information. CC ID 11847 | Technical security | Configuration | |
| Include a protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 00537 | Technical security | Establish/Maintain Documentation | |
| Configure network ports to organizational standards. CC ID 14007 | Technical security | Configuration | |
| Include approval of the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 12547 | Technical security | Establish/Maintain Documentation | |
| Include the use of protocols above and beyond common information service protocols in the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 00539 | Technical security | Establish/Maintain Documentation | |
| Include justifying the use of risky protocols in the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 01280 [Include in the firewall and router configuration standard Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure. 1.1.6] | Technical security | Establish/Maintain Documentation | |
| Document and implement security features for each identified insecure service, protocol, and port in the protocols, ports, applications, and services list. CC ID 12033 | Technical security | Establish/Maintain Documentation | |
| Identify the insecure services, protocols, and ports in the protocols, ports, applications, and services list in the firewall and router configuration. CC ID 12032 | Technical security | Establish/Maintain Documentation | |
| Install and configure firewalls to be enabled on all mobile devices, if possible. CC ID 00550 [{mobile device} Install personal firewall software on any mobile and/or employee-owned devices that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the network. Firewall configurations include: - Specific configuration settings are defined for personal firewall software. - Personal firewall software is actively running. - Personal firewall software is not alterable by users of mobile and/or employee-owned devices. 1.4 {mobile device} Install personal firewall software on any mobile and/or employee-owned devices that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the network. Firewall configurations include: - Specific configuration settings are defined for personal firewall software. - Personal firewall software is actively running. - Personal firewall software is not alterable by users of mobile and/or employee-owned devices. 1.4] | Technical security | Configuration | |
| Lock personal firewall configurations to prevent them from being disabled or changed by end users. CC ID 06420 [{mobile device} Install personal firewall software on any mobile and/or employee-owned devices that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the network. Firewall configurations include: - Specific configuration settings are defined for personal firewall software. - Personal firewall software is actively running. - Personal firewall software is not alterable by users of mobile and/or employee-owned devices. 1.4] | Technical security | Technical Security | |
| Configure network access and control points to protect restricted data or restricted information. CC ID 01284 [Implement anti-spoofing measures to detect and block forged source IP addresses from entering the network. 1.3.4 Install and maintain a firewall configuration to protect cardholder data. Requirement 1] | Technical security | Configuration | |
| Protect data stored at external locations. CC ID 16333 | Technical security | Data and Information Management | |
| Protect the firewall's network connection interfaces. CC ID 01955 | Technical security | Technical Security | |
| Configure firewalls to deny all traffic by default, except explicitly designated traffic. CC ID 00547 [Install perimeter firewalls between all wireless networks and the cardholder data environment, and configure these firewalls to deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment. 1.2.3] | Technical security | Configuration | |
| Allow local program exceptions on the firewall, as necessary. CC ID 01956 | Technical security | Configuration | |
| Allow remote administration exceptions on the firewall, as necessary. CC ID 01957 | Technical security | Configuration | |
| Allow file sharing exceptions on the firewall, as necessary. CC ID 01958 | Technical security | Configuration | |
| Allow printer sharing exceptions on the firewall, as necessary. CC ID 11849 | Technical security | Configuration | |
| Allow Internet Control Message Protocol exceptions on the firewall, as necessary. CC ID 01959 | Technical security | Configuration | |
| Allow Remote Desktop Connection exceptions on the firewall, as necessary. CC ID 01960 | Technical security | Configuration | |
| Allow UPnP framework exceptions on the firewall, as necessary. CC ID 01961 | Technical security | Configuration | |
| Allow notification exceptions on the firewall, as necessary. CC ID 01962 | Technical security | Configuration | |
| Allow unicast response to multicast or broadcast exceptions on the firewall, as necessary. CC ID 01964 | Technical security | Configuration | |
| Allow protocol port exceptions on the firewall, as necessary. CC ID 01965 | Technical security | Configuration | |
| Allow local port exceptions on the firewall, as necessary. CC ID 01966 | Technical security | Configuration | |
| Establish, implement, and maintain ingress address filters on the firewall, as necessary. CC ID 01287 | Technical security | Configuration | |
| Establish, implement, and maintain packet filtering requirements. CC ID 16362 | Technical security | Technical Security | |
| Configure firewall filtering to only permit established connections into the network. CC ID 12482 | Technical security | Technical Security | |
| Restrict outbound network traffic from systems that contain restricted data or restricted information. CC ID 01295 [{direct inbound connection} {direct outbound connection} Do not allow any direct connections inbound or outbound for traffic between the Internet and the cardholder data environment. 1.3.3 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet. 1.3.5] | Technical security | Data and Information Management | |
| Deny direct Internet access to databases that store restricted data or restricted information. CC ID 01271 | Technical security | Data and Information Management | |
| Synchronize and secure all router configuration files. CC ID 01291 [Secure and synchronize router configuration files. 1.2.2] | Technical security | Configuration | |
| Synchronize and secure all firewall configuration files. CC ID 11851 | Technical security | Configuration | |
| Configure firewalls to generate an audit log. CC ID 12038 | Technical security | Audits and Risk Management | |
| Configure firewalls to generate an alert when a potential security incident is detected. CC ID 12165 | Technical security | Configuration | |
| Record the configuration rules for network access and control points in the configuration management system. CC ID 12105 | Technical security | Establish/Maintain Documentation | |
| Record the duration of the business need associated with changes to the configuration rules for network access and control points in the configuration management system. CC ID 12107 | Technical security | Establish/Maintain Documentation | |
| Record each individual's name and business need associated with changes to the configuration rules for network access and control points in the configuration management system. CC ID 12106 | Technical security | Establish/Maintain Documentation | |
| Install and configure application layer firewalls for all key web-facing applications. CC ID 01450 [For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: - Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes - Installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic. 6.6] | Technical security | Configuration | |
| Update application layer firewalls to the most current version. CC ID 12037 | Technical security | Process or Activity | |
| Enforce information flow control. CC ID 11781 | Technical security | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain information flow control configuration standards. CC ID 01924 | Technical security | Establish/Maintain Documentation | |
| Constrain the information flow of restricted data or restricted information. CC ID 06763 | Technical security | Data and Information Management | |
| Restrict access to restricted data and restricted information on a need to know basis. CC ID 12453 [Restrict access to cardholder data by business need to know Requirement 7] | Technical security | Data and Information Management | |
| Control all methods of remote access and teleworking. CC ID 00559 | Technical security | Technical Security | |
| Implement multifactor authentication techniques. CC ID 00561 [Incorporate two-factor authentication for remote network access originating from outside the network by personnel (including users and administrators) and all third parties, (including vendor access for support or maintenance). 8.3] | Technical security | Configuration | |
| Implement phishing-resistant multifactor authentication techniques. CC ID 16541 | Technical security | Technical Security | |
| Document and approve requests to bypass multifactor authentication. CC ID 15464 | Technical security | Establish/Maintain Documentation | |
| Manage the use of encryption controls and cryptographic controls. CC ID 00570 | Technical security | Technical Security | |
| Establish, implement, and maintain an encryption management and cryptographic controls policy. CC ID 04546 [{make known} Ensure that security policies and operational procedures for encrypting transmissions of cardholder data are documented, in use, and known to all affected parties. 4.3] | Technical security | Establish/Maintain Documentation | |
| Refrain from allowing the use of cleartext for input or output of restricted data or restricted information. CC ID 04823 | Technical security | Configuration | |
| Encrypt in scope data or in scope information, as necessary. CC ID 04824 | Technical security | Data and Information Management | |
| Digitally sign records and data, as necessary. CC ID 16507 | Technical security | Data and Information Management | |
| Make key usage for data fields unique for each device. CC ID 04828 | Technical security | Technical Security | |
| Decrypt restricted data for the minimum time required. CC ID 12308 | Technical security | Data and Information Management | |
| Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309 | Technical security | Data and Information Management | |
| Accept only trusted keys and/or certificates. CC ID 11988 | Technical security | Technical Security | |
| Establish, implement, and maintain cryptographic key creation domain parameter requirements. CC ID 06575 | Technical security | Data and Information Management | |
| Define the asymmetric signature field for the CHUID container on identification cards or badges. CC ID 06584 | Technical security | Process or Activity | |
| Implement cryptographic operations and support functions on identification cards or badges. CC ID 06585 | Technical security | Process or Activity | |
| Disseminate and communicate the encryption management and cryptographic controls policy to all interested personnel and affected parties. CC ID 15476 | Technical security | Communicate | |
| Define the format of the biometric data on identification cards or badges. CC ID 06586 | Technical security | Process or Activity | |
| Protect salt values and hash values in accordance with organizational standards. CC ID 16471 | Technical security | Data and Information Management | |
| Provide guidance to customers on how to securely transmit, store, and update cryptographic keys. CC ID 12040 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain cryptographic key management procedures. CC ID 00571 [Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data, including the following: 3.6 Document and implement procedures to protect keys used to secure stored cardholder data against disclosure and misuse. 3.5] | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate cryptographic key management procedures to interested personnel and affected parties. CC ID 13164 | Technical security | Communicate | |
| Bind keys to each identity. CC ID 12337 | Technical security | Technical Security | |
| Include recommended cryptographic key management procedures for cloud service providers in the cryptographic key management procedures. CC ID 13152 | Technical security | Establish/Maintain Documentation | |
| Include requesting cryptographic key types in the cryptographic key management procedures. CC ID 13151 | Technical security | Establish/Maintain Documentation | |
| Recover encrypted data for lost cryptographic keys, compromised cryptographic keys, or damaged cryptographic keys. CC ID 01301 | Technical security | Data and Information Management | |
| Generate strong cryptographic keys. CC ID 01299 [{generate} Include in the cryptographic key management procedures Generation of strong cryptographic keys. 3.6.1] | Technical security | Data and Information Management | |
| Generate unique cryptographic keys for each user. CC ID 12169 | Technical security | Technical Security | |
| Use approved random number generators for creating cryptographic keys. CC ID 06574 | Technical security | Data and Information Management | |
| Implement decryption keys so that they are not linked to user accounts. CC ID 06851 [{file-level encryption} {authentication mechanism} If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed separately and independently of native operating system authentication and access control mechanisms (for example, by not using local user account databases or general network login credentials). Decryption keys must not be associated with user accounts. 3.4.1] | Technical security | Technical Security | |
| Include the establishment of cryptographic keys in the cryptographic key management procedures. CC ID 06540 | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate cryptographic keys securely. CC ID 01300 [Include in the cryptographic key management procedures Secure cryptographic key distribution. 3.6.2] | Technical security | Data and Information Management | |
| Control the input and output of cryptographic keys from a cryptographic module. CC ID 06541 | Technical security | Data and Information Management | |
| Store cryptographic keys securely. CC ID 01298 [Include in the cryptographic key management procedures Secure cryptographic key storage. 3.6.3 Store cryptographic keys in the fewest possible locations. 3.5.3 {secret key} Store secret and private keys used to encrypt/decrypt cardholder data in one (or more) of the following forms at all times: - Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data-encrypting key - Within a secure cryptographic device (such as a hardware (host) security module (HSM) or PTS-approved point-of-interaction device) - As at least two full-length key components or key shares, in accordance with an industry-accepted method. 3.5.2 {secret key} Store secret and private keys used to encrypt/decrypt cardholder data in one (or more) of the following forms at all times: - Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data-encrypting key - Within a secure cryptographic device (such as a hardware (host) security module (HSM) or PTS-approved point-of-interaction device) - As at least two full-length key components or key shares, in accordance with an industry-accepted method. 3.5.2] | Technical security | Data and Information Management | |
| Restrict access to cryptographic keys. CC ID 01297 [Restrict access to cryptographic keys to the fewest number of custodians necessary. 3.5.1] | Technical security | Data and Information Management | |
| Store cryptographic keys in encrypted format. CC ID 06084 [{secret key} Store secret and private keys used to encrypt/decrypt cardholder data in one (or more) of the following forms at all times: - Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data-encrypting key - Within a secure cryptographic device (such as a hardware (host) security module (HSM) or PTS-approved point-of-interaction device) - As at least two full-length key components or key shares, in accordance with an industry-accepted method. 3.5.2] | Technical security | Data and Information Management | |
| Store key-encrypting keys and data-encrypting keys in different locations. CC ID 06085 [{secret key} Store secret and private keys used to encrypt/decrypt cardholder data in one (or more) of the following forms at all times: - Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data-encrypting key - Within a secure cryptographic device (such as a hardware (host) security module (HSM) or PTS-approved point-of-interaction device) - As at least two full-length key components or key shares, in accordance with an industry-accepted method. 3.5.2] | Technical security | Technical Security | |
| Include offsite backups of cryptographic keys in the cryptographic key management procedures. CC ID 13127 | Technical security | Establish/Maintain Documentation | |
| Change cryptographic keys in accordance with organizational standards. CC ID 01302 [Include in the cryptographic key management procedures Cryptographic key changes for keys that have reached the end of their cryptoperiod (for example, after a defined period of time has passed and/or after a certain amount of cipher-text has been produced by a given key), as defined by the associated application vendor or key owner, and based on industry best practices and guidelines (for example, NIST Special Publication 800-57). 3.6.4] | Technical security | Data and Information Management | |
| Destroy cryptographic keys promptly after the retention period. CC ID 01303 | Technical security | Data and Information Management | |
| Control cryptographic keys with split knowledge and dual control. CC ID 01304 [Include in the cryptographic key management procedures If manual clear-text cryptographic key-management operations are used, these operations must be managed using split knowledge and dual control. 3.6.6] | Technical security | Data and Information Management | |
| Prevent the unauthorized substitution of cryptographic keys. CC ID 01305 [{prevent} Include in the cryptographic key management procedures Prevention of unauthorized substitution of cryptographic keys. 3.6.7] | Technical security | Data and Information Management | |
| Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys. CC ID 06852 | Technical security | Technical Security | |
| Archive outdated cryptographic keys. CC ID 06884 | Technical security | Data and Information Management | |
| Archive revoked cryptographic keys. CC ID 11819 | Technical security | Data and Information Management | |
| Require key custodians to sign the cryptographic key management policy. CC ID 01308 | Technical security | Establish/Maintain Documentation | |
| Require key custodians to sign the key custodian's roles and responsibilities. CC ID 11820 [Include in the cryptographic key management procedures Requirement for cryptographic key custodians to formally acknowledge that they understand and accept their key-custodian responsibilities. 3.6.8] | Technical security | Human Resources Management | |
| Manage the digital signature cryptographic key pair. CC ID 06576 | Technical security | Data and Information Management | |
| Establish, implement, and maintain requirements for Personal Identity Verification authentication certificates. CC ID 06587 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain Public Key certificate application procedures. CC ID 07079 | Technical security | Establish/Maintain Documentation | |
| Establish a Registration Authority to support the Public Key Infrastructure. CC ID 15725 | Technical security | Establish Roles | |
| Include the Identification and Authentication of individuals or entities in the Public Key certificate application procedures. CC ID 07080 | Technical security | Establish/Maintain Documentation | |
| Include approving or rejecting Public Key certificate applications in the Public Key certificate application procedure. CC ID 07081 | Technical security | Establish/Maintain Documentation | |
| Include revocation of Public Key certificates in the Public Key certificate procedures. CC ID 07082 | Technical security | Establish/Maintain Documentation | |
| Publish revoked Public Key certificates in the Certificate Revocation List. CC ID 07089 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain Public Key renewal or rekeying request procedures. CC ID 07083 | Technical security | Establish/Maintain Documentation | |
| Include identification and authentication in Public Key renewal or rekeying request procedures. CC ID 11816 | Technical security | Establish/Maintain Documentation | |
| Issue authentication mechanisms that support the Public Key Infrastructure. CC ID 07092 | Technical security | Technical Security | |
| Establish a Root Certification Authority to support the Public Key Infrastructure. CC ID 07084 | Technical security | Technical Security | |
| Establish, implement, and maintain Public Key certificate procedures. CC ID 07085 | Technical security | Establish/Maintain Documentation | |
| Include signing and issuing Public Key certificates in the Public Key certificate procedures. CC ID 11817 | Technical security | Establish/Maintain Documentation | |
| Include publishing Public Key certificates in the Public Key certificate procedures. CC ID 07087 | Technical security | Establish/Maintain Documentation | |
| Include access to issued Public Key certificates in the Public Key certificate procedures. CC ID 07086 | Technical security | Establish/Maintain Documentation | |
| Connect the Public Key Infrastructure to the organization's identity and access management system. CC ID 07091 | Technical security | Technical Security | |
| Archive Public Key certificate records according to organizational Records Management rules. CC ID 07090 | Technical security | Records Management | |
| Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564 [Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components. 8.2.1 Use strong cryptography and security protocols (for example, TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks, including the following: - Only trusted keys and certificates are accepted. - The protocol in use only supports secure versions or configurations. - The encryption strength is appropriate for the encryption methodology in use. 4.1 Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices (for example, IEEE 802.11i) to implement strong encryption for authentication and transmission. 4.1.1 {transmit} Encrypt transmission of cardholder data across open, public networks. Requirement 4] | Technical security | Technical Security | |
| Ensure restricted data or restricted information are encrypted prior to or at the time of transmission. CC ID 01749 | Technical security | Configuration | |
| Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls. CC ID 12492 | Technical security | Technical Security | |
| Encrypt traffic over networks with trusted cryptographic keys. CC ID 12490 | Technical security | Technical Security | |
| Authorize transactions of data transmitted over public networks or shared data networks. CC ID 00566 | Technical security | Establish/Maintain Documentation | |
| Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416 | Technical security | Technical Security | |
| Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks. CC ID 00568 | Technical security | Technical Security | |
| Protect application services information transmitted over a public network from unauthorized modification. CC ID 12021 | Technical security | Technical Security | |
| Protect application services information transmitted over a public network from unauthorized disclosure. CC ID 12020 | Technical security | Technical Security | |
| Protect application services information transmitted over a public network from contract disputes. CC ID 12019 | Technical security | Technical Security | |
| Protect application services information transmitted over a public network from fraudulent activity. CC ID 12018 | Technical security | Technical Security | |
| Establish, implement, and maintain a malicious code protection program. CC ID 00574 [{make known} Ensure that security policies and operational procedures for protecting systems against malware are documented, in use, and known to all affected parties. 5.4 Protect all systems against malware and regularly update anti-virus software or programs. Requirement 5] | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the malicious code protection policy to all interested personnel and affected parties. CC ID 15485 | Technical security | Communicate | |
| Disseminate and communicate the malicious code protection procedures to all interested personnel and affected parties. CC ID 15484 | Technical security | Communicate | |
| Establish, implement, and maintain malicious code protection procedures. CC ID 15483 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain a malicious code protection policy. CC ID 15478 | Technical security | Establish/Maintain Documentation | |
| Restrict downloading to reduce malicious code attacks. CC ID 04576 | Technical security | Behavior | |
| Install security and protection software, as necessary. CC ID 00575 [Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers). 5.1] | Technical security | Configuration | |
| Install and maintain container security solutions. CC ID 16178 | Technical security | Technical Security | |
| Protect the system against replay attacks. CC ID 04552 | Technical security | Technical Security | |
| Define and assign roles and responsibilities for malicious code protection. CC ID 15474 | Technical security | Establish Roles | |
| Lock antivirus configurations. CC ID 10047 [Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period. 5.3] | Technical security | Configuration | |
| Establish, implement, and maintain a physical security program. CC ID 11757 [{make known} Ensure that security policies and operational procedures for restricting physical access to cardholder data are documented, in use, and known to all affected parties. 9.10] | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain physical security plans. CC ID 13307 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include a maintenance schedule for the physical security plan in the physical security plan. CC ID 13309 | Physical and environmental protection | Establish/Maintain Documentation | |
| Document any reasons for modifying or refraining from modifying the physical security plan after it has been reviewed. CC ID 13315 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain physical security procedures. CC ID 13076 | Physical and environmental protection | Establish/Maintain Documentation | |
| Analyze and evaluate engineering systems. CC ID 13080 | Physical and environmental protection | Physical and Environmental Protection | |
| Analyze and evaluate facilities and their structural elements. CC ID 13079 | Physical and environmental protection | Physical and Environmental Protection | |
| Analyze and evaluate mechanical systems, as necessary. CC ID 13078 | Physical and environmental protection | Physical and Environmental Protection | |
| Disallow disabling tamper detection and response mechanisms, absent authorization. CC ID 12211 | Physical and environmental protection | Configuration | |
| Prevent security mechanisms from being compromised by adverse physical conditions. CC ID 12215 | Physical and environmental protection | Configuration | |
| Alert interested personnel and affected parties when evidence of tampering is discovered. CC ID 15319 | Physical and environmental protection | Communicate | |
| Protect assets from tampering or unapproved substitution. CC ID 11902 [Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution. 9.9] | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain a facility physical security program. CC ID 00711 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain opening procedures for businesses. CC ID 16671 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain closing procedures for businesses. CC ID 16670 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050 | Physical and environmental protection | Establish/Maintain Documentation | |
| Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311 | Physical and environmental protection | Behavior | |
| Protect the facility from crime. CC ID 06347 | Physical and environmental protection | Physical and Environmental Protection | |
| Define communication methods for reporting crimes. CC ID 06349 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include identification cards or badges in the physical security program. CC ID 14818 | Physical and environmental protection | Establish/Maintain Documentation | |
| Protect facilities from eavesdropping. CC ID 02222 | Physical and environmental protection | Physical and Environmental Protection | |
| Implement audio protection controls on telephone systems in controlled areas. CC ID 16455 | Physical and environmental protection | Technical Security | |
| Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581 | Physical and environmental protection | Establish/Maintain Documentation | |
| Hold conferences requiring sensitive information discussions in spaces that have commensurate security. CC ID 11440 | Physical and environmental protection | Physical and Environmental Protection | |
| Provide one-time meeting support for discussions involving Top Secret information. CC ID 11441 | Physical and environmental protection | Physical and Environmental Protection | |
| Create security zones in facilities, as necessary. CC ID 16295 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish clear zones around any sensitive facilities. CC ID 02214 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain floor plans. CC ID 16419 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420 | Physical and environmental protection | Establish/Maintain Documentation | |
| Post floor plans of critical facilities in secure locations. CC ID 16138 | Physical and environmental protection | Communicate | |
| Post and maintain security signage for all facilities. CC ID 02201 | Physical and environmental protection | Establish/Maintain Documentation | |
| Inspect items brought into the facility. CC ID 06341 | Physical and environmental protection | Physical and Environmental Protection | |
| Maintain all physical security systems. CC ID 02206 | Physical and environmental protection | Physical and Environmental Protection | |
| Maintain all security alarm systems. CC ID 11669 | Physical and environmental protection | Physical and Environmental Protection | |
| Identify and document physical access controls for all physical entry points. CC ID 01637 | Physical and environmental protection | Establish/Maintain Documentation | |
| Control physical access to (and within) the facility. CC ID 01329 [Control physical access for onsite personnel to sensitive areas as follows: - Access must be authorized and based on individual job function. - Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled. 9.3] | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain physical access procedures. CC ID 13629 | Physical and environmental protection | Establish/Maintain Documentation | |
| Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419 | Physical and environmental protection | Physical and Environmental Protection | |
| Configure the access control system to grant access only during authorized working hours. CC ID 12325 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain a visitor access permission policy. CC ID 06699 [Implement procedures to identify and authorize visitors. 9.4] | Physical and environmental protection | Establish/Maintain Documentation | |
| Escort visitors within the facility, as necessary. CC ID 06417 [Include in the visitor identification procedures Visitors are authorized before entering, and escorted at all times within, areas where cardholder data is processed or maintained. 9.4.1] | Physical and environmental protection | Establish/Maintain Documentation | |
| Check the visitor's stated identity against a provided government issued identification. CC ID 06701 | Physical and environmental protection | Physical and Environmental Protection | |
| Authorize visitors before granting entry to physical areas containing restricted data or restricted information. CC ID 01330 [Include in the visitor identification procedures Visitors are authorized before entering, and escorted at all times within, areas where cardholder data is processed or maintained. 9.4.1] | Physical and environmental protection | Testing | |
| Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702 | Physical and environmental protection | Behavior | |
| Establish, implement, and maintain procedures for changing a visitor's access requirements. CC ID 12048 | Physical and environmental protection | Establish/Maintain Documentation | |
| Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436 | Physical and environmental protection | Establish/Maintain Documentation | |
| Authorize physical access to sensitive areas based on job functions. CC ID 12462 [Control physical access for onsite personnel to sensitive areas as follows: - Access must be authorized and based on individual yle="background-color:#F0BBBC;" class="term_primary-noun">job function. - Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled. 9.3] | Physical and environmental protection | Establish/Maintain Documentation | |
| Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain physical identification procedures. CC ID 00713 [Develop procedures to easily distinguish between onsite personnel and visitors, to include: - Identifying onsite personnel and visitors (for example, assigning badges) - Changes to access requirements - Revoking or terminating onsite personnel and expired visitor identification (such as ID badges). 9.2] | Physical and environmental protection | Establish/Maintain Documentation | |
| Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030 | Physical and environmental protection | Human Resources Management | |
| Implement physical identification processes. CC ID 13715 | Physical and environmental protection | Process or Activity | |
| Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717 | Physical and environmental protection | Process or Activity | |
| Issue photo identification badges to all employees. CC ID 12326 | Physical and environmental protection | Physical and Environmental Protection | |
| Implement operational requirements for card readers. CC ID 02225 | Physical and environmental protection | Testing | |
| Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819 | Physical and environmental protection | Establish/Maintain Documentation | |
| Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334 | Physical and environmental protection | Physical and Environmental Protection | |
| Manage constituent identification inside the facility. CC ID 02215 | Physical and environmental protection | Behavior | |
| Direct each employee to be responsible for their identification card or badge. CC ID 12332 | Physical and environmental protection | Human Resources Management | |
| Manage visitor identification inside the facility. CC ID 11670 | Physical and environmental protection | Physical and Environmental Protection | |
| Issue visitor identification badges to all non-employees. CC ID 00543 [Include in the visitor identification procedures Visitors are identified and given a badge or other identification that expires and that visibly distinguishes the visitors from onsite personnel. 9.4.2] | Physical and environmental protection | Behavior | |
| Secure unissued visitor identification badges. CC ID 06712 | Physical and environmental protection | Physical and Environmental Protection | |
| Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331 [Include in the visitor identification procedures Visitors are asked to surrender the badge or identification before leaving the facility or at the date of expiration. 9.4.3] | Physical and environmental protection | Behavior | |
| Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain identification issuance procedures for identification cards or badges. CC ID 06598 [Develop procedures to easily distinguish between onsite personnel and visitors, to include: - Identifying onsite personnel and visitors (for example, assigning badges) - Changes to access requirements - Revoking or terminating onsite personnel and expired visitor identification (such as ID badges). 9.2] | Physical and environmental protection | Establish/Maintain Documentation | |
| Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714 | Physical and environmental protection | Process or Activity | |
| Include error handling controls in identification issuance procedures. CC ID 13709 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include an appeal process in the identification issuance procedures. CC ID 15428 | Physical and environmental protection | Business Processes | |
| Include information security in the identification issuance procedures. CC ID 15425 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include identity proofing processes in the identification issuance procedures. CC ID 06597 | Physical and environmental protection | Process or Activity | |
| Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include an identity registration process in the identification issuance procedures. CC ID 11671 | Physical and environmental protection | Establish/Maintain Documentation | |
| Restrict access to the badge system to authorized personnel. CC ID 12043 | Physical and environmental protection | Physical and Environmental Protection | |
| Enforce dual control for badge assignments. CC ID 12328 | Physical and environmental protection | Physical and Environmental Protection | |
| Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327 | Physical and environmental protection | Physical and Environmental Protection | |
| Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain identification renewal procedures for identification cards or badges. CC ID 06599 | Physical and environmental protection | Establish/Maintain Documentation | |
| Assign employees the responsibility for controlling their identification badges. CC ID 12333 | Physical and environmental protection | Human Resources Management | |
| Establish, implement, and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain identification mechanism termination procedures. CC ID 06306 [Develop procedures to easily distinguish between onsite personnel and visitors, to include: - Identifying onsite personnel and visitors (for example, assigning badges) - Changes to access requirements - Revoking or terminating onsite personnel and expired visitor identification (such as ID badges). 9.2] | Physical and environmental protection | Establish/Maintain Documentation | |
| Prevent tailgating through physical entry points. CC ID 06685 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain a door security standard. CC ID 06686 | Physical and environmental protection | Establish/Maintain Documentation | |
| Install doors so that exposed hinges are on the secured side. CC ID 06687 | Physical and environmental protection | Configuration | |
| Install emergency doors to permit egress only. CC ID 06688 | Physical and environmental protection | Configuration | |
| Install contact alarms on doors, as necessary. CC ID 06710 | Physical and environmental protection | Configuration | |
| Use locks to protect against unauthorized physical access. CC ID 06342 | Physical and environmental protection | Physical and Environmental Protection | |
| Use locks with electronic authentication systems or cipher locks, as necessary. CC ID 06650 | Physical and environmental protection | Configuration | |
| Secure unissued access mechanisms. CC ID 06713 | Physical and environmental protection | Technical Security | |
| Establish, implement, and maintain a lock and access mechanism inventory (keys, lock combinations, or key cards) for all physical access control systems. CC ID 00748 | Physical and environmental protection | Establish/Maintain Documentation | |
| Change cipher lock codes, as necessary. CC ID 06651 | Physical and environmental protection | Technical Security | |
| Record the assigned access mechanism serial number or cipher lock code when issuing controlled items. CC ID 06715 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain a window security standard. CC ID 06689 | Physical and environmental protection | Establish/Maintain Documentation | |
| Install contact alarms on openable windows, as necessary. CC ID 06690 | Physical and environmental protection | Configuration | |
| Install glass break alarms on windows, as necessary. CC ID 06691 | Physical and environmental protection | Configuration | |
| Post signs at all physical entry points stating the organization's right to inspect upon entry. CC ID 02204 | Physical and environmental protection | Establish/Maintain Documentation | |
| Install and maintain security lighting at all physical entry points. CC ID 02205 | Physical and environmental protection | Physical and Environmental Protection | |
| Use vandal resistant light fixtures for all security lighting. CC ID 16130 | Physical and environmental protection | Physical and Environmental Protection | |
| Manage access to loading docks, unloading docks, and mail rooms. CC ID 02210 | Physical and environmental protection | Physical and Environmental Protection | |
| Secure the loading dock with physical access controls or security guards. CC ID 06703 | Physical and environmental protection | Physical and Environmental Protection | |
| Isolate loading areas from information processing facilities, if possible. CC ID 12028 | Physical and environmental protection | Physical and Environmental Protection | |
| Screen incoming mail and deliveries. CC ID 06719 | Physical and environmental protection | Physical and Environmental Protection | |
| Protect access to the facility's mechanical systems area. CC ID 02212 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain elevator security guidelines. CC ID 02232 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain stairwell security guidelines. CC ID 02233 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain glass opening security guidelines. CC ID 02234 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain after hours facility access procedures. CC ID 06340 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish a security room, if necessary. CC ID 00738 | Physical and environmental protection | Physical and Environmental Protection | |
| Implement physical security standards for mainframe rooms or data centers. CC ID 00749 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish and maintain equipment security cages in a shared space environment. CC ID 06711 | Physical and environmental protection | Physical and Environmental Protection | |
| Secure systems in lockable equipment cabinets, as necessary. CC ID 06716 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain vault physical security standards. CC ID 02203 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain a guideline for working in a secure area. CC ID 04538 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain emergency re-entry procedures. CC ID 11672 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain emergency exit procedures. CC ID 01252 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, Implement, and maintain a camera operating policy. CC ID 15456 | Physical and environmental protection | Establish/Maintain Documentation | |
| Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461 | Physical and environmental protection | Communicate | |
| Establish and maintain a visitor log. CC ID 00715 [A visitor log is used to maintain a physical audit trail of visitor activity to the facility as well as computer rooms and data centers where cardholder data is stored or transmitted. Document the visitor’s name, the firm represented, and the onsite personnel authorizing physical access on the log. Retain this log for a minimum of three months, unless otherwise restricted by law. 9.4.4] | Physical and environmental protection | Log Management | |
| Require all visitors to sign in to the visitor log before the entrance of a visitor to the facility. CC ID 06700 | Physical and environmental protection | Establish/Maintain Documentation | |
| Require all visitors to sign out of the visitor log before the exit of a visitor from the facility. CC ID 06649 | Physical and environmental protection | Behavior | |
| Record the visitor's name in the visitor log. CC ID 00557 [A visitor log is used to maintain a physical audit trail of visitor activity to the facility as well as computer rooms and data centers where cardholder data is stored or transmitted. Document the visitor’s name, the firm represented, and the onsite personnel authorizing physical access on the log. Retain this log for a minimum of three months, unless otherwise restricted by law. 9.4.4] | Physical and environmental protection | Log Management | |
| Record the visitor's organization in the visitor log. CC ID 12121 | Physical and environmental protection | Log Management | |
| Record the visitor's acceptable access areas in the visitor log. CC ID 12237 | Physical and environmental protection | Log Management | |
| Record the date and time of entry in the visitor log. CC ID 13255 | Physical and environmental protection | Establish/Maintain Documentation | |
| Record the onsite personnel authorizing physical access for the visitor in the visitor log. CC ID 12466 | Physical and environmental protection | Establish/Maintain Documentation | |
| Retain all records in the visitor log as prescribed by law. CC ID 00572 [A visitor log is used to maintain a physical audit trail of visitor activity to the facility as well as computer rooms and data centers where cardholder data is stored or transmitted. Document the visitor’s name, the firm represented, and the onsite personnel authorizing physical access on the log. Retain this log for a minimum of three months, unless otherwise restricted by law. 9.4.4] | Physical and environmental protection | Log Management | |
| Establish, implement, and maintain a physical access log. CC ID 12080 | Physical and environmental protection | Establish/Maintain Documentation | |
| Log the entrance of a staff member to a facility or designated rooms within the facility. CC ID 01641 | Physical and environmental protection | Log Management | |
| Store facility access logs in off-site storage. CC ID 06958 | Physical and environmental protection | Log Management | |
| Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Configure video cameras to cover all physical entry points. CC ID 06302 | Physical and environmental protection | Configuration | |
| Configure video cameras to prevent physical tampering or disablement. CC ID 06303 | Physical and environmental protection | Configuration | |
| Retain video events according to Records Management procedures. CC ID 06304 [{video event} Use video cameras and/or access control mechanisms to monitor individual physical access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law. 9.1.1] | Physical and environmental protection | Records Management | |
| Establish, implement, and maintain physical security threat reports. CC ID 02207 | Physical and environmental protection | Establish/Maintain Documentation | |
| Build and maintain fencing, as necessary. CC ID 02235 | Physical and environmental protection | Physical and Environmental Protection | |
| Implement security measures for all interior spaces that allow for any payment transactions. CC ID 06352 | Physical and environmental protection | Physical and Environmental Protection | |
| Physically segregate business areas in accordance with organizational standards. CC ID 16718 | Physical and environmental protection | Physical and Environmental Protection | |
| Employ security guards to provide physical security, as necessary. CC ID 06653 | Physical and environmental protection | Establish Roles | |
| Establish, implement, and maintain a facility wall standard. CC ID 06692 | Physical and environmental protection | Establish/Maintain Documentation | |
| Design interior walls with sound absorbing materials as well as thermal resistant materials. CC ID 06372 | Physical and environmental protection | Physical and Environmental Protection | |
| Design interior walls that provide security to extend from true floor to true ceiling. CC ID 06693 | Physical and environmental protection | Configuration | |
| Refrain from search and seizure inside organizational facilities absent a warrant. CC ID 09980 | Physical and environmental protection | Behavior | |
| Disallow either search or seizure of any person inside organizational facilities absent a warrant. CC ID 09981 | Physical and environmental protection | Behavior | |
| Disallow copying or excerpting from documents, books, or records that are on or in the premises of an organizational facility absent a warrant. CC ID 09982 | Physical and environmental protection | Business Processes | |
| Disallow inspecting computers or searching computer records inside organizational facilities absent a warrant. CC ID 09983 | Physical and environmental protection | Behavior | |
| Do nothing to help during a search and seizure inside organizational facilities absent a warrant and being legally compelled to assist. CC ID 09984 | Physical and environmental protection | Behavior | |
| Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 | Physical and environmental protection | Physical and Environmental Protection | |
| Control the transiting and internal distribution or external distribution of assets. CC ID 00963 [{internal distribution} Maintain strict control over the internal or external distribution of any kind of media, including the following: 9.6] | Physical and environmental protection | Records Management | |
| Log the transiting, internal distribution, and external distribution of restricted storage media. CC ID 12321 | Physical and environmental protection | Log Management | |
| Encrypt digital media containing sensitive information during transport outside controlled areas. CC ID 14258 | Physical and environmental protection | Technical Security | |
| Obtain management authorization for restricted storage media transit or distribution from a controlled access area. CC ID 00964 [Ensure management approves any and all media that is moved from a secured area (including when media is distributed to individuals). 9.6.3] | Physical and environmental protection | Records Management | |
| Use locked containers to transport non-digital media outside of controlled areas. CC ID 14286 | Physical and environmental protection | Physical and Environmental Protection | |
| Transport restricted media using a delivery method that can be tracked. CC ID 11777 [Send the media by secured courier or other delivery method that can be accurately tracked. 9.6.2] | Physical and environmental protection | Business Processes | |
| Restrict physical access to distributed assets. CC ID 11865 [{networking hardware} Restrict physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines. 9.1.3 {physical control} Implement physical and/or logical controls to restrict access to publicly accessible network jacks. 9.1.2] | Physical and environmental protection | Physical and Environmental Protection | |
| House network hardware in lockable rooms or lockable equipment cabinets. CC ID 01873 | Physical and environmental protection | Physical and Environmental Protection | |
| Protect electronic storage media with physical access controls. CC ID 00720 [Restrict physical access to cardholder data Requirement 9] | Physical and environmental protection | Physical and Environmental Protection | |
| Protect physical assets with earthquake-resistant mechanisms. CC ID 06360 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain a media protection policy. CC ID 14029 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include compliance requirements in the media protection policy. CC ID 14185 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include coordination amongst entities in the media protection policy. CC ID 14184 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include management commitment in the media protection policy. CC ID 14182 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include roles and responsibilities in the media protection policy. CC ID 14180 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include the scope in the media protection policy. CC ID 14167 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include the purpose in the media protection policy. CC ID 14166 | Physical and environmental protection | Establish/Maintain Documentation | |
| Disseminate and communicate the media protection policy to interested personnel and affected parties. CC ID 14165 | Physical and environmental protection | Communicate | |
| Establish, implement, and maintain media protection procedures. CC ID 14062 | Physical and environmental protection | Establish/Maintain Documentation | |
| Disseminate and communicate the media protection procedures to interested personnel and affected parties. CC ID 14186 | Physical and environmental protection | Communicate | |
| Establish, implement, and maintain removable storage media controls. CC ID 06680 | Physical and environmental protection | Data and Information Management | |
| Control access to restricted storage media. CC ID 04889 [Maintain strict control over the storage and accessibility of media. 9.7 {file-level encryption} {authentication mechanism} If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed separately and independently of native operating system authentication and access control mechanisms (for example, by not using local user account databases or general network login credentials). Decryption keys must not be associated with user accounts. 3.4.1] | Physical and environmental protection | Data and Information Management | |
| Physically secure all electronic storage media that store restricted data or restricted information. CC ID 11664 [Protect stored cardholder data. Requirement 3 Physically secure all media. 9.5] | Physical and environmental protection | Physical and Environmental Protection | |
| Separate duplicate originals and backup media from the original electronic storage media. CC ID 00961 | Physical and environmental protection | Records Management | |
| Treat archive media as evidence. CC ID 00960 | Physical and environmental protection | Records Management | |
| Log the transfer of removable storage media. CC ID 12322 | Physical and environmental protection | Log Management | |
| Establish, implement, and maintain storage media access control procedures. CC ID 00959 | Physical and environmental protection | Establish/Maintain Documentation | |
| Require removable storage media be in the custody of an authorized individual. CC ID 12319 | Physical and environmental protection | Behavior | |
| Control the storage of restricted storage media. CC ID 00965 [Maintain strict control over the storage and accessibility of media. 9.7] | Physical and environmental protection | Records Management | |
| Store removable storage media containing restricted data or restricted information using electronic media storage cabinets or electronic media storage vaults. CC ID 00717 | Physical and environmental protection | Physical and Environmental Protection | |
| Protect the combinations for all combination locks. CC ID 02199 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain electronic media storage container repair guidelines. CC ID 02200 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish and maintain eavesdropping protection for vaults. CC ID 02231 | Physical and environmental protection | Physical and Environmental Protection | |
| Serialize all removable storage media. CC ID 00949 | Physical and environmental protection | Configuration | |
| Protect distributed assets against theft. CC ID 06799 | Physical and environmental protection | Physical and Environmental Protection | |
| Include Information Technology assets in the asset removal policy. CC ID 13162 | Physical and environmental protection | Establish/Maintain Documentation | |
| Specify the assets to be returned or removed in the asset removal policy. CC ID 13163 | Physical and environmental protection | Establish/Maintain Documentation | |
| Disseminate and communicate the asset removal policy to interested personnel and affected parties. CC ID 13160 | Physical and environmental protection | Communicate | |
| Establish, implement, and maintain asset removal procedures or asset decommissioning procedures. CC ID 04540 | Physical and environmental protection | Establish/Maintain Documentation | |
| Prohibit assets from being taken off-site absent prior authorization. CC ID 12027 | Physical and environmental protection | Process or Activity | |
| Control the delivery of assets through physical entry points and physical exit points. CC ID 01441 | Physical and environmental protection | Physical and Environmental Protection | |
| Control the removal of assets through physical entry points and physical exit points. CC ID 11681 | Physical and environmental protection | Physical and Environmental Protection | |
| Maintain records of all system components entering and exiting the facility. CC ID 14304 | Physical and environmental protection | Log Management | |
| Establish, implement, and maintain on-site logical controls for all distributed assets. CC ID 11682 | Physical and environmental protection | Technical Security | |
| Establish, implement, and maintain off-site logical controls for all distributed assets. CC ID 11683 | Physical and environmental protection | Technical Security | |
| Establish, implement, and maintain on-site physical controls for all distributed assets. CC ID 04820 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain off-site physical controls for all distributed assets. CC ID 04539 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain missing asset reporting procedures. CC ID 06336 | Physical and environmental protection | Establish/Maintain Documentation | |
| Employ asset location technologies in accordance with applicable laws and regulations. CC ID 10627 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain end user computing device security guidelines. CC ID 00719 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain a locking screen saver policy. CC ID 06717 | Physical and environmental protection | Establish/Maintain Documentation | |
| Encrypt information stored on devices in publicly accessible areas. CC ID 16410 | Physical and environmental protection | Data and Information Management | |
| Secure workstations to desks with security cables. CC ID 04724 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain a mobile device management program. CC ID 15212 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain a mobile device management policy. CC ID 15214 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain mobile device emergency sanitization procedures. CC ID 16454 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain mobile device security guidelines. CC ID 04723 | Physical and environmental protection | Establish/Maintain Documentation | |
| Require users to refrain from leaving mobile devices unattended. CC ID 16446 | Physical and environmental protection | Business Processes | |
| Include the expectation of data loss in the event of sanitizing the mobile device in the mobile device security guidelines. CC ID 12292 | Physical and environmental protection | Establish/Maintain Documentation | |
| Wipe information from mobile devices after a predetermined number of unsuccessful logon attempts. CC ID 14242 | Physical and environmental protection | Data and Information Management | |
| Include legal requirements in the mobile device security guidelines. CC ID 12291 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include the use of privacy filters in the mobile device security guidelines. CC ID 16452 | Physical and environmental protection | Physical and Environmental Protection | |
| Include prohibiting the usage of unapproved application stores in the mobile device security guidelines. CC ID 12290 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include requiring users to create data backups in the mobile device security guidelines. CC ID 12289 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include the definition of mobile devices in the mobile device security guidelines. CC ID 12288 | Physical and environmental protection | Establish/Maintain Documentation | |
| Refrain from responding to unsolicited Personal Identification Number requests. CC ID 12430 | Physical and environmental protection | Physical and Environmental Protection | |
| Refrain from pairing Bluetooth devices in unsecured areas. CC ID 12429 | Physical and environmental protection | Physical and Environmental Protection | |
| Encrypt information stored on mobile devices. CC ID 01422 | Physical and environmental protection | Data and Information Management | |
| Separate systems that transmit, process, or store restricted data from those that do not by deploying physical access controls. CC ID 00722 | Physical and environmental protection | Physical and Environmental Protection | |
| Secure system components from unauthorized viewing. CC ID 01437 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain asset return procedures. CC ID 04537 | Physical and environmental protection | Establish/Maintain Documentation | |
| Request the return of all appropriate assets upon notification of a personnel status change. CC ID 06678 | Physical and environmental protection | Behavior | |
| Require the return of all assets upon notification an individual is terminated. CC ID 06679 [Control physical access for onsite personnel to sensitive areas as follows: - Access must be authorized and based on individual job function. - Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled. 9.3] | Physical and environmental protection | Behavior | |
| Prohibit the use of recording devices near restricted data or restricted information, absent authorization. CC ID 04598 | Physical and environmental protection | Behavior | |
| Prohibit usage of cell phones near restricted data or restricted information, absent authorization. CC ID 06354 | Physical and environmental protection | Behavior | |
| Prohibit mobile device usage near restricted data or restricted information, absent authorization. CC ID 04597 | Physical and environmental protection | Behavior | |
| Prohibit wireless technology usage near restricted data or restricted information, absent authorization. CC ID 08706 | Physical and environmental protection | Configuration | |
| Establish, implement, and maintain open storage container procedures. CC ID 02198 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain a clean desk policy. CC ID 06534 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain a clear screen policy. CC ID 12436 | Physical and environmental protection | Technical Security | |
| Establish, implement, and maintain contact card reader security guidelines. CC ID 06588 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain contactless card reader security guidelines. CC ID 06589 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain Personal Identification Number input device security guidelines. CC ID 06590 | Physical and environmental protection | Establish/Maintain Documentation | |
| Identify customer property within the organizational facility. CC ID 06612 | Physical and environmental protection | Physical and Environmental Protection | |
| Protect customer property under the care of the organization. CC ID 11685 | Physical and environmental protection | Physical and Environmental Protection | |
| Prohibit the unauthorized remote activation of collaborative computing devices. CC ID 06768 | Physical and environmental protection | Technical Security | |
| Provide a physical disconnect of collaborative computing devices in a way that supports ease of use. CC ID 06769 | Physical and environmental protection | Configuration | |
| Indicate the active use of collaborative computing devices to users physically present at the device. CC ID 10647 | Physical and environmental protection | Technical Security | |
| Provide storage media shelving capable of bearing all potential loads. CC ID 11400 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain proper aircraft security. CC ID 02213 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain a vehicle access program. CC ID 02216 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish parking requirements for vehicles. CC ID 02218 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain proper container security. CC ID 02208 | Physical and environmental protection | Physical and Environmental Protection | |
| Lock closable storage containers. CC ID 06307 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain returned card procedures. CC ID 13567 | Physical and environmental protection | Establish/Maintain Documentation | |
| Refrain from distributing returned cards to staff with the responsibility for payment card issuance. CC ID 13572 | Physical and environmental protection | Business Processes | |
| Establish and maintain the physical security of non-issued payment cards. CC ID 06402 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain payment card disposal procedures. CC ID 16137 | Physical and environmental protection | Establish/Maintain Documentation | |
| Control the issuance of payment cards. CC ID 06403 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain a mailing control log. CC ID 16136 | Physical and environmental protection | Establish/Maintain Documentation | |
| Assign roles and responsibilities for the issuance of payment cards. CC ID 16134 | Physical and environmental protection | Establish Roles | |
| Inventory payment cards, as necessary. CC ID 13547 | Physical and environmental protection | Records Management | |
| Store non-issued payment cards in a lockable cabinet or safe. CC ID 06404 | Physical and environmental protection | Physical and Environmental Protection | |
| Deliver payment cards to customers using secure methods. CC ID 06405 | Physical and environmental protection | Physical and Environmental Protection | |
| Activate payment cards sent to customers upon receiving instructions to activate the payment card. CC ID 13052 | Physical and environmental protection | Business Processes | |
| Establish, implement, and maintain payment card usage security measures. CC ID 06406 | Physical and environmental protection | Establish/Maintain Documentation | |
| Notify customers about payment card usage security measures. CC ID 06407 | Physical and environmental protection | Behavior | |
| Establish, implement, and maintain payment card disposal procedures. CC ID 16135 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish and maintain physical security of assets used for publicity. CC ID 06724 | Physical and environmental protection | Physical and Environmental Protection | |
| Install and protect network cabling. CC ID 08624 | Physical and environmental protection | Physical and Environmental Protection | |
| Control physical access to network cables. CC ID 00723 | Physical and environmental protection | Process or Activity | |
| Install and protect fiber optic cable, as necessary. CC ID 08625 | Physical and environmental protection | Physical and Environmental Protection | |
| Restrict fiber optic cables to carry only specific security classification traffic. CC ID 08628 | Physical and environmental protection | Physical and Environmental Protection | |
| Label fiber optic flying leads according to security classification of data being carried over the fiber optic cables. CC ID 08640 | Physical and environmental protection | Physical and Environmental Protection | |
| Install network cable in a way that allows ease of inspecting. CC ID 08626 | Physical and environmental protection | Physical and Environmental Protection | |
| Bundle network cables together at each inspection point by security classification of data being carried over that cable. CC ID 08649 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish and maintain security classifications for network cabling. CC ID 08627 | Physical and environmental protection | Establish/Maintain Documentation | |
| Label conduit according to security classification of data being carried over the network cable inside the conduit. CC ID 08630 | Physical and environmental protection | Physical and Environmental Protection | |
| Label each end of a network cable run. CC ID 08632 | Physical and environmental protection | Physical and Environmental Protection | |
| Terminate approved network cables on the patch panel. CC ID 08633 | Physical and environmental protection | Physical and Environmental Protection | |
| Color code cables in accordance with organizational standards. CC ID 16422 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish and maintain documentation for network cabling schemes. CC ID 08641 | Physical and environmental protection | Establish/Maintain Documentation | |
| Prevent installing network cabling inside walls shared with third parties. CC ID 08648 | Physical and environmental protection | Physical and Environmental Protection | |
| Install network cabling specifically for maintenance purposes. CC ID 10613 | Physical and environmental protection | Physical and Environmental Protection | |
| Install and maintain network jacks and outlet boxes. CC ID 08635 | Physical and environmental protection | Physical and Environmental Protection | |
| Color code outlet boxes in accordance with organizational standards. CC ID 16451 | Physical and environmental protection | Physical and Environmental Protection | |
| Maintain wiring circuits and outlets that are separate from the computer room. CC ID 16142 | Physical and environmental protection | Physical and Environmental Protection | |
| Implement physical controls to restrict access to publicly accessible network jacks. CC ID 11989 | Physical and environmental protection | Physical and Environmental Protection | |
| Label network cabling outlet boxes. CC ID 08631 | Physical and environmental protection | Physical and Environmental Protection | |
| Enable network jacks at the patch panel, as necessary. CC ID 06305 | Physical and environmental protection | Configuration | |
| Implement logical controls to enable network jacks, as necessary. CC ID 11934 [{physical control} Implement physical and/or logical controls to restrict access to publicly accessible network jacks. 9.1.2] | Physical and environmental protection | Physical and Environmental Protection | |
| Identify network jacks by security classification according to security classification of data being carried over the cable. CC ID 08634 | Physical and environmental protection | Physical and Environmental Protection | |
| Identify network cable faceplates by security classification according to security classification of data being carried over the cable. CC ID 08643 | Physical and environmental protection | Physical and Environmental Protection | |
| Install and maintain network patch panels. CC ID 08636 | Physical and environmental protection | Physical and Environmental Protection | |
| Separate network patch panels in different network cabinets according to security classification of data being carried over the cables. CC ID 08637 | Physical and environmental protection | Physical and Environmental Protection | |
| Assign access to network patch panels on a need to know basis. CC ID 08638 | Physical and environmental protection | Physical and Environmental Protection | |
| Encase network cabling in conduit or closed cable reticulation systems, as necessary. CC ID 08647 | Physical and environmental protection | Physical and Environmental Protection | |
| Install conduit on walls connecting to network cable outlet boxes, as necessary. CC ID 08646 | Physical and environmental protection | Physical and Environmental Protection | |
| Seal data conduit couplings and data conduit fitting bodies. CC ID 08629 | Physical and environmental protection | Physical and Environmental Protection | |
| Install cable reticulation systems as close to the network cabinets as possible. CC ID 08642 | Physical and environmental protection | Physical and Environmental Protection | |
| Partition cable bundles in cable reticulation systems by security classification of data being carried over the network cable. CC ID 08645 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain a business continuity program. CC ID 13210 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain system continuity plan strategies. CC ID 00735 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a critical third party list. CC ID 06815 [Maintain a list of service providers. 12.8.1] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Disseminate and communicate critical third party dependencies to interested personnel and affected parties. CC ID 06816 | Operational and Systems Continuity | Behavior | |
| Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258 | Operational and Systems Continuity | Systems Continuity | |
| Establish and maintain off-site electronic media storage facilities. CC ID 00957 | Operational and Systems Continuity | Physical and Environmental Protection | |
| Store backup media at an off-site electronic media storage facility. CC ID 01332 [{alternate site} Store media backups in a secure location, preferably an off-site facility, such as an alternate or backup site, or a commercial storage facility. Review the location’s security at least annually. 9.5.1] | Operational and Systems Continuity | Data and Information Management | |
| Transport backup media in lockable electronic media storage containers. CC ID 01264 | Operational and Systems Continuity | Data and Information Management | |
| Establish, implement, and maintain a personnel management program. CC ID 14018 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain onboarding procedures for new hires. CC ID 11760 | Human Resources management | Establish/Maintain Documentation | |
| Train all new hires, as necessary. CC ID 06673 [{retrain} Educate personnel upon hire and at least annually. 12.6.1] | Human Resources management | Behavior | |
| Establish, implement, and maintain a personnel security program. CC ID 10628 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain personnel screening procedures. CC ID 11700 | Human Resources management | Establish/Maintain Documentation | |
| Perform a personal identification check during personnel screening. CC ID 06721 | Human Resources management | Human Resources Management | |
| Perform a criminal records check during personnel screening. CC ID 06643 | Human Resources management | Establish/Maintain Documentation | |
| Include all residences in the criminal records check. CC ID 13306 | Human Resources management | Process or Activity | |
| Document any reasons a full criminal records check could not be performed. CC ID 13305 | Human Resources management | Establish/Maintain Documentation | |
| Perform a personal references check during personnel screening. CC ID 06645 | Human Resources management | Human Resources Management | |
| Perform a credit check during personnel screening. CC ID 06646 | Human Resources management | Human Resources Management | |
| Perform an academic records check during personnel screening. CC ID 06647 | Human Resources management | Establish/Maintain Documentation | |
| Perform a drug test during personnel screening. CC ID 06648 | Human Resources management | Testing | |
| Perform a resume check during personnel screening. CC ID 06659 | Human Resources management | Human Resources Management | |
| Perform a curriculum vitae check during personnel screening. CC ID 06660 | Human Resources management | Human Resources Management | |
| Establish and maintain the staff structure in line with the strategic plan. CC ID 00764 | Human Resources management | Establish Roles | |
| Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical. CC ID 06960 | Human Resources management | Technical Security | |
| Train all personnel and third parties, as necessary. CC ID 00785 | Human Resources management | Behavior | |
| Establish, implement, and maintain an education methodology. CC ID 06671 | Human Resources management | Business Processes | |
| Retrain all personnel, as necessary. CC ID 01362 [{retrain} Educate personnel upon hire and at least annually. 12.6.1] | Human Resources management | Behavior | |
| Establish, implement, and maintain training plans. CC ID 00828 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a security awareness program. CC ID 11746 [Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security. 12.6] | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a security awareness and training policy. CC ID 14022 | Human Resources management | Establish/Maintain Documentation | |
| Include compliance requirements in the security awareness and training policy. CC ID 14092 | Human Resources management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the security awareness and training policy. CC ID 14091 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain security awareness and training procedures. CC ID 14054 | Human Resources management | Establish/Maintain Documentation | |
| Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Human Resources management | Communicate | |
| Include management commitment in the security awareness and training policy. CC ID 14049 | Human Resources management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the security awareness and training policy. CC ID 14048 | Human Resources management | Establish/Maintain Documentation | |
| Include the scope in the security awareness and training policy. CC ID 14047 | Human Resources management | Establish/Maintain Documentation | |
| Include the purpose in the security awareness and training policy. CC ID 14045 | Human Resources management | Establish/Maintain Documentation | |
| Include configuration management procedures in the security awareness program. CC ID 13967 | Human Resources management | Establish/Maintain Documentation | |
| Include media protection in the security awareness program. CC ID 16368 | Human Resources management | Training | |
| Document security awareness requirements. CC ID 12146 | Human Resources management | Establish/Maintain Documentation | |
| Include safeguards for information systems in the security awareness program. CC ID 13046 | Human Resources management | Establish/Maintain Documentation | |
| Include security policies and security standards in the security awareness program. CC ID 13045 | Human Resources management | Establish/Maintain Documentation | |
| Include physical security in the security awareness program. CC ID 16369 | Human Resources management | Training | |
| Include mobile device security guidelines in the security awareness program. CC ID 11803 | Human Resources management | Establish/Maintain Documentation | |
| Include updates on emerging issues in the security awareness program. CC ID 13184 | Human Resources management | Training | |
| Include cybersecurity in the security awareness program. CC ID 13183 | Human Resources management | Training | |
| Include implications of non-compliance in the security awareness program. CC ID 16425 | Human Resources management | Training | |
| Include the acceptable use policy in the security awareness program. CC ID 15487 | Human Resources management | Training | |
| Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 | Human Resources management | Establish/Maintain Documentation | |
| Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 | Human Resources management | Establish/Maintain Documentation | |
| Include remote access in the security awareness program. CC ID 13892 | Human Resources management | Establish/Maintain Documentation | |
| Document the goals of the security awareness program. CC ID 12145 | Human Resources management | Establish/Maintain Documentation | |
| Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 | Human Resources management | Establish/Maintain Documentation | |
| Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 | Human Resources management | Human Resources Management | |
| Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 | Human Resources management | Human Resources Management | |
| Document the scope of the security awareness program. CC ID 12148 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a security awareness baseline. CC ID 12147 | Human Resources management | Establish/Maintain Documentation | |
| Encourage interested personnel to obtain security certification. CC ID 11804 | Human Resources management | Human Resources Management | |
| Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 | Human Resources management | Behavior | |
| Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 | Human Resources management | Behavior | |
| Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Human Resources management | Training | |
| Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 [Require personnel to acknowledge at least annually that they have read and understood the security policy and procedures. 12.6.2] | Human Resources management | Establish/Maintain Documentation | |
| Conduct tampering prevention training. CC ID 11875 [{do not replace} {do not return} Provide training for personnel to be aware of attempted tampering or replacement of devices. Training should include the following: - Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. - Do not install, replace, or return devices without verification. - Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices). - Report suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer). 9.9.3] | Human Resources management | Training | |
| Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877 [{do not replace} {do not return} Provide training for personnel to be aware of attempted tampering or replacement of devices. Training should include the following: - Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. - Do not install, replace, or return devices without verification. - Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices). - Report suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer). 9.9.3] | Human Resources management | Training | |
| Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876 [{do not replace} {do not return} Provide training for personnel to be aware of attempted tampering or replacement of devices. Training should include the following: - Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. - Do not install, replace, or return devices without verification. - Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices). - Report suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer). 9.9.3] | Human Resources management | Training | |
| Include how to report tampering and unauthorized substitution in the tampering prevention training. CC ID 11879 [{do not replace} {do not return} Provide training for personnel to be aware of attempted tampering or replacement of devices. Training should include the following: - Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. - Do not install, replace, or return devices without verification. - Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices). - Report suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer). 9.9.3] | Human Resources management | Training | |
| Include how to prevent physical tampering in the tampering prevention training. CC ID 11878 [{do not replace} {do not return} Provide training for personnel to be aware of attempted tampering or replacement of devices. Training should include the following: - Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. - Do not install, replace, or return devices without verification. - Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices). - Report suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer). 9.9.3] | Human Resources management | Training | |
| Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990 | Human Resources management | Training | |
| Manage cloud services. CC ID 13144 | Operational management | Business Processes | |
| Protect clients' hosted environments. CC ID 11862 [Shared hosting providers must protect each entity’s hosted environment and cardholder data. 2.6] | Operational management | Physical and Environmental Protection | |
| Notify cloud customers of the geographic locations of the cloud service organization and its assets. CC ID 13037 | Operational management | Communicate | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 [{make known} Ensure that security policies and operational procedures for protecting stored cardholder data are documented, in use, and known to all affected parties. 3.7] | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties. CC ID 06955 | Operational management | Behavior | |
| Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283 | Operational management | Establish/Maintain Documentation | |
| Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861 | Operational management | Acquisition/Sale of Assets or Services | |
| Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915 | Operational management | Process or Activity | |
| Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853 | Operational management | Establish/Maintain Documentation | |
| Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895 | Operational management | Process or Activity | |
| Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809 | Operational management | Audits and Risk Management | |
| Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523 | Operational management | Human Resources Management | |
| Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524 | Operational management | Human Resources Management | |
| Establish, implement, and maintain a compliance policy. CC ID 14807 | Operational management | Establish/Maintain Documentation | |
| Include the standard of conduct and accountability in the compliance policy. CC ID 14813 | Operational management | Establish/Maintain Documentation | |
| Include the scope in the compliance policy. CC ID 14812 | Operational management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the compliance policy. CC ID 14811 | Operational management | Establish/Maintain Documentation | |
| Include a commitment to continual improvement in the compliance policy. CC ID 14810 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809 | Operational management | Communicate | |
| Include management commitment in the compliance policy. CC ID 14808 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a governance policy. CC ID 15587 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625 | Operational management | Communicate | |
| Include a commitment to continuous improvement in the governance policy. CC ID 15595 | Operational management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the governance policy. CC ID 15594 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a positive information control environment. CC ID 00813 | Operational management | Business Processes | |
| Make compliance and governance decisions in a timely manner. CC ID 06490 | Operational management | Behavior | |
| Establish, implement, and maintain an internal control framework. CC ID 00820 | Operational management | Establish/Maintain Documentation | |
| Define the scope for the internal control framework. CC ID 16325 | Operational management | Business Processes | |
| Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 | Operational management | Establish Roles | |
| Assign resources to implement the internal control framework. CC ID 00816 | Operational management | Business Processes | |
| Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 | Operational management | Establish Roles | |
| Establish, implement, and maintain a baseline of internal controls. CC ID 12415 | Operational management | Business Processes | |
| Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Operational management | Establish/Maintain Documentation | |
| Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Operational management | Establish/Maintain Documentation | |
| Leverage actionable information to support internal controls. CC ID 12414 | Operational management | Business Processes | |
| Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 | Operational management | Establish/Maintain Documentation | |
| Include continuous service account management procedures in the internal control framework. CC ID 13860 | Operational management | Establish/Maintain Documentation | |
| Include threat assessment in the internal control framework. CC ID 01347 | Operational management | Establish/Maintain Documentation | |
| Automate threat assessments, as necessary. CC ID 06877 | Operational management | Configuration | |
| Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 | Operational management | Establish/Maintain Documentation | |
| Automate vulnerability management, as necessary. CC ID 11730 | Operational management | Configuration | |
| Include personnel security procedures in the internal control framework. CC ID 01349 | Operational management | Establish/Maintain Documentation | |
| Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 | Operational management | Establish/Maintain Documentation | |
| Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 | Operational management | Establish/Maintain Documentation | |
| Include security information sharing procedures in the internal control framework. CC ID 06489 | Operational management | Establish/Maintain Documentation | |
| Share security information with interested personnel and affected parties. CC ID 11732 | Operational management | Communicate | |
| Evaluate information sharing partners, as necessary. CC ID 12749 | Operational management | Process or Activity | |
| Include security incident response procedures in the internal control framework. CC ID 01359 | Operational management | Establish/Maintain Documentation | |
| Include incident response escalation procedures in the internal control framework. CC ID 11745 | Operational management | Establish/Maintain Documentation | |
| Include continuous user account management procedures in the internal control framework. CC ID 01360 | Operational management | Establish/Maintain Documentation | |
| Authorize and document all exceptions to the internal control framework. CC ID 06781 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 | Operational management | Communicate | |
| Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835 | Operational management | Communicate | |
| Establish, implement, and maintain a cybersecurity policy. CC ID 16833 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an information security program. CC ID 00812 | Operational management | Establish/Maintain Documentation | |
| Include physical safeguards in the information security program. CC ID 12375 | Operational management | Establish/Maintain Documentation | |
| Include technical safeguards in the information security program. CC ID 12374 | Operational management | Establish/Maintain Documentation | |
| Include administrative safeguards in the information security program. CC ID 12373 | Operational management | Establish/Maintain Documentation | |
| Include system development in the information security program. CC ID 12389 | Operational management | Establish/Maintain Documentation | |
| Include system maintenance in the information security program. CC ID 12388 | Operational management | Establish/Maintain Documentation | |
| Include system acquisition in the information security program. CC ID 12387 | Operational management | Establish/Maintain Documentation | |
| Include access control in the information security program. CC ID 12386 | Operational management | Establish/Maintain Documentation | |
| Include operations management in the information security program. CC ID 12385 | Operational management | Establish/Maintain Documentation | |
| Include communication management in the information security program. CC ID 12384 | Operational management | Establish/Maintain Documentation | |
| Include environmental security in the information security program. CC ID 12383 | Operational management | Establish/Maintain Documentation | |
| Include physical security in the information security program. CC ID 12382 | Operational management | Establish/Maintain Documentation | |
| Include human resources security in the information security program. CC ID 12381 | Operational management | Establish/Maintain Documentation | |
| Include asset management in the information security program. CC ID 12380 | Operational management | Establish/Maintain Documentation | |
| Include a continuous monitoring program in the information security program. CC ID 14323 | Operational management | Establish/Maintain Documentation | |
| Include change management procedures in the continuous monitoring plan. CC ID 16227 | Operational management | Establish/Maintain Documentation | |
| include recovery procedures in the continuous monitoring plan. CC ID 16226 | Operational management | Establish/Maintain Documentation | |
| Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Operational management | Establish/Maintain Documentation | |
| Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Operational management | Establish/Maintain Documentation | |
| Include how the information security department is organized in the information security program. CC ID 12379 | Operational management | Establish/Maintain Documentation | |
| Include risk management in the information security program. CC ID 12378 | Operational management | Establish/Maintain Documentation | |
| Include mitigating supply chain risks in the information security program. CC ID 13352 | Operational management | Establish/Maintain Documentation | |
| Provide management direction and support for the information security program. CC ID 11999 | Operational management | Process or Activity | |
| Monitor and review the effectiveness of the information security program. CC ID 12744 | Operational management | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain an information security policy. CC ID 11740 [Maintain a policy that addresses information security for all personnel. Requirement 12 Establish, publish, maintain, and disseminate a security policy. 12.1 Review the security policy at least annually and update the policy when the environment changes. 12.1.1 Review the security policy at least annually and update the policy when the environment changes. 12.1.1] | Operational management | Establish/Maintain Documentation | |
| Align the information security policy with the organization's risk acceptance level. CC ID 13042 | Operational management | Business Processes | |
| Include business processes in the information security policy. CC ID 16326 | Operational management | Establish/Maintain Documentation | |
| Include the information security strategy in the information security policy. CC ID 16125 | Operational management | Establish/Maintain Documentation | |
| Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Operational management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the information security policy. CC ID 16120 | Operational management | Establish/Maintain Documentation | |
| Include a commitment to the information security requirements in the information security policy. CC ID 13496 | Operational management | Establish/Maintain Documentation | |
| Include information security objectives in the information security policy. CC ID 13493 | Operational management | Establish/Maintain Documentation | |
| Include the use of Cloud Services in the information security policy. CC ID 13146 | Operational management | Establish/Maintain Documentation | |
| Include notification procedures in the information security policy. CC ID 16842 | Operational management | Establish/Maintain Documentation | |
| Approve the information security policy at the organization's management level or higher. CC ID 11737 | Operational management | Process or Activity | |
| Establish, implement, and maintain information security procedures. CC ID 12006 | Operational management | Business Processes | |
| Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Operational management | Communicate | |
| Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Operational management | Establish/Maintain Documentation | |
| Define thresholds for approving information security activities in the information security program. CC ID 15702 | Operational management | Process or Activity | |
| Assign ownership of the information security program to the appropriate role. CC ID 00814 | Operational management | Establish Roles | |
| Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 [Formally assign information security responsibilities for: Establish, document, and distribute security policies and procedures. 12.5.1] | Operational management | Human Resources Management | |
| Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 [Ensure that the security policy and procedures clearly define information security responsibilities for all personnel. 12.4] | Operational management | Establish/Maintain Documentation | |
| Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 [Formally assign information security responsibilities for: Establish, document, and distribute security policies and procedures. 12.5.1] | Operational management | Human Resources Management | |
| Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 [Establish, publish, maintain, and disseminate a security policy. 12.1] | Operational management | Communicate | |
| Establish, implement, and maintain a social media governance program. CC ID 06536 | Operational management | Establish/Maintain Documentation | |
| Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Operational management | Business Processes | |
| Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Operational management | Business Processes | |
| Refrain from accepting instant messages from unknown senders. CC ID 12537 | Operational management | Behavior | |
| Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 | Operational management | Establish/Maintain Documentation | |
| Include explicit restrictions in the social media acceptable use policy. CC ID 06655 | Operational management | Establish/Maintain Documentation | |
| Include contributive content sites in the social media acceptable use policy. CC ID 06656 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain operational control procedures. CC ID 00831 | Operational management | Establish/Maintain Documentation | |
| Include assigning and approving operations in operational control procedures. CC ID 06382 | Operational management | Establish/Maintain Documentation | |
| Include startup processes in operational control procedures. CC ID 00833 | Operational management | Establish/Maintain Documentation | |
| Include change control processes in the operational control procedures. CC ID 16793 | Operational management | Establish/Maintain Documentation | |
| Establish and maintain a data processing run manual. CC ID 00832 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 | Operational management | Establish/Maintain Documentation | |
| Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Operational management | Process or Activity | |
| Include metrics in the standard operating procedures manual. CC ID 14988 | Operational management | Establish/Maintain Documentation | |
| Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Operational management | Establish/Maintain Documentation | |
| Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Operational management | Establish/Maintain Documentation | |
| Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Operational management | Establish/Maintain Documentation | |
| Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Operational management | Establish/Maintain Documentation | |
| Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Operational management | Establish/Maintain Documentation | |
| Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Operational management | Establish/Maintain Documentation | |
| Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Operational management | Establish/Maintain Documentation | |
| Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Operational management | Establish/Maintain Documentation | |
| Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Operational management | Establish/Maintain Documentation | |
| Include information on system performance in the standard operating procedures manual. CC ID 14965 | Operational management | Establish/Maintain Documentation | |
| Include contact details in the standard operating procedures manual. CC ID 14962 | Operational management | Establish/Maintain Documentation | |
| Include information sharing procedures in standard operating procedures. CC ID 12974 | Operational management | Records Management | |
| Establish, implement, and maintain information sharing agreements. CC ID 15645 | Operational management | Business Processes | |
| Provide support for information sharing activities. CC ID 15644 | Operational management | Process or Activity | |
| Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 | Operational management | Business Processes | |
| Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 | Operational management | Communicate | |
| Establish, implement, and maintain a job scheduling methodology. CC ID 00834 | Operational management | Establish/Maintain Documentation | |
| Establish and maintain a job schedule exceptions list. CC ID 00835 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a data processing continuity plan. CC ID 00836 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 [Develop usage policies for critical technologies and define proper use of these technologies. 12.3] | Operational management | Establish/Maintain Documentation | |
| Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 [Require that usage policies include: Explicit approval by authorized parties 12.3.1] | Operational management | Establish/Maintain Documentation | |
| Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 [Require that usage policies include: For personnel accessing cardholder data via remote-access technologies, prohibit the copying, moving, and storage of cardholder data onto local hard drives and removable electronic media, unless explicitly authorized for a defined business need. Where there is an authorized business need, the usage policies must require the data be protected in accordance with all applicable PCI DSS Requirements. 12.3.10] | Operational management | Establish/Maintain Documentation | |
| Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Operational management | Establish/Maintain Documentation | |
| Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Operational management | Establish/Maintain Documentation | |
| Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Operational management | Establish/Maintain Documentation | |
| Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Operational management | Establish/Maintain Documentation | |
| Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Operational management | Establish/Maintain Documentation | |
| Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 | Operational management | Establish/Maintain Documentation | |
| Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Operational management | Establish/Maintain Documentation | |
| Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 | Operational management | Establish/Maintain Documentation | |
| Include asset tags in the Acceptable Use Policy. CC ID 01354 [Require that usage policies include: A method to accurately and readily determine owner, contact information, and purpose (for example, labeling, coding, and/or inventorying of devices) 12.3.4] | Operational management | Establish/Maintain Documentation | |
| Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Operational management | Establish/Maintain Documentation | |
| Include asset use policies in the Acceptable Use Policy. CC ID 01355 [Require that usage policies include: Acceptable uses of the technology 12.3.5] | Operational management | Establish/Maintain Documentation | |
| Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 [Require that usage policies include: A list of all such devices and personnel with access 12.3.3] | Operational management | Establish/Maintain Documentation | |
| Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 [Require that usage policies include: Authentication for use of the technology 12.3.2] | Operational management | Establish/Maintain Documentation | |
| Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 [Require that usage policies include: Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use 12.3.9] | Operational management | Technical Security | |
| Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 [Require that usage policies include: For personnel accessing cardholder data via remote-access technologies, prohibit the copying, moving, and storage of cardholder data onto local hard drives and removable electronic media, unless explicitly authorized for a defined business need. Where there is an authorized business need, the usage policies must require the data be protected in accordance with all applicable PCI DSS Requirements. 12.3.10] | Operational management | Establish/Maintain Documentation | |
| Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Operational management | Data and Information Management | |
| Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 | Operational management | Establish/Maintain Documentation | |
| Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 [Require that usage policies include: Acceptable network locations for the technologies 12.3.6] | Operational management | Establish/Maintain Documentation | |
| Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 [Require that usage policies include: List of company-approved products 12.3.7] | Operational management | Establish/Maintain Documentation | |
| Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 | Operational management | Establish/Maintain Documentation | |
| Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311 | Operational management | Establish/Maintain Documentation | |
| Include a software installation policy in the Acceptable Use Policy. CC ID 06749 | Operational management | Establish/Maintain Documentation | |
| Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 [Require that usage policies include: ">Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity 12.3.8] | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 | Operational management | Communicate | |
| Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 | Operational management | Establish/Maintain Documentation | |
| Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 | Operational management | Business Processes | |
| Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 | Operational management | Establish/Maintain Documentation | |
| Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an e-mail policy. CC ID 06439 | Operational management | Establish/Maintain Documentation | |
| Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Operational management | Establish/Maintain Documentation | |
| Identify the sender in all electronic messages. CC ID 13996 | Operational management | Data and Information Management | |
| Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain nondisclosure agreements. CC ID 04536 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 | Operational management | Communicate | |
| Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 | Operational management | Establish/Maintain Documentation | |
| Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a use of information agreement. CC ID 06215 | Operational management | Establish/Maintain Documentation | |
| Include use limitations in the use of information agreement. CC ID 06244 | Operational management | Establish/Maintain Documentation | |
| Include disclosure requirements in the use of information agreement. CC ID 11735 | Operational management | Establish/Maintain Documentation | |
| Include information recipients in the use of information agreement. CC ID 06245 | Operational management | Establish/Maintain Documentation | |
| Include reporting out of scope use of information in the use of information agreement. CC ID 06246 | Operational management | Establish/Maintain Documentation | |
| Include disclosure of information in the use of information agreement. CC ID 11830 | Operational management | Establish/Maintain Documentation | |
| Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 | Operational management | Establish/Maintain Documentation | |
| Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 | Operational management | Establish/Maintain Documentation | |
| Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131 | Operational management | Establish/Maintain Documentation | |
| Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132 | Operational management | Establish/Maintain Documentation | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 [{make known} Ensure that security policies and operational procedures for monitoring all access to network resources and cardholder data are documented, in use, and known to all affected parties. 10.8 {make known} Ensure that security policies and operational procedures for identification and authentication are documented, in use, and known to all affected parties. 8.8 {make known} Ensure that security policies and operational procedures for developing and maintaining secure systems and applications are documented, in use, and known to all affected parties. 6.7 {make known} Ensure that security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties. 7.3 {make known} Ensure that security policies and operational procedures for protecting systems against malware are documented, in use, and known to all affected parties. 5.4 {make known} Ensure that security policies and operational procedures for protecting stored cardholder data are documented, in use, and known to all affected parties. 3.7 {make known} Ensure that security policies and operational procedures for encrypting transmissions of cardholder data are documented, in use, and known to all affected parties. 4.3 {make known} Ensure that security policies and operational procedures for restricting physical access to cardholder data are documented, in use, and known to all affected parties. 9.10] | Operational management | Business Processes | |
| Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 | Operational management | Process or Activity | |
| Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 | Operational management | Process or Activity | |
| Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 | Operational management | Process or Activity | |
| Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 | Operational management | Process or Activity | |
| Analyze the Governance, Risk, and Compliance approach. CC ID 12816 | Operational management | Process or Activity | |
| Analyze the organizational culture. CC ID 12899 | Operational management | Process or Activity | |
| Include employee engagement in the analysis of the organizational culture. CC ID 12914 | Operational management | Behavior | |
| Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 | Operational management | Business Processes | |
| Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 | Operational management | Business Processes | |
| Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 | Operational management | Business Processes | |
| Include skill development in the analysis of the organizational culture. CC ID 12913 | Operational management | Behavior | |
| Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 | Operational management | Behavior | |
| Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 | Operational management | Business Processes | |
| Include employee loyalty in the analysis of the organizational culture. CC ID 12911 | Operational management | Behavior | |
| Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 | Operational management | Behavior | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 | Operational management | Establish/Maintain Documentation | |
| Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 | Operational management | Communicate | |
| Review systems for compliance with organizational information security policies. CC ID 12004 | Operational management | Business Processes | |
| Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 [{make known} Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties. 1.5 {make known} Ensure that security policies and operational procedures for monitoring all access to network resources and cardholder data are documented, in use, and known to all affected parties. 10.8 {make known} Ensure that security policies and operational procedures for identification and authentication are documented, in use, and known to all affected parties. 8.8 {make known} Ensure that security policies and operational procedures for developing and maintaining secure systems and applications are documented, in use, and known to all affected parties. 6.7 {make known} Ensure that security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties. 7.3 {make known} Ensure that security policies and operational procedures for protecting systems against malware are documented, in use, and known to all affected parties. 5.4 {make known} Ensure that security policies and operational procedures for protecting stored cardholder data are documented, in use, and known to all affected parties. 3.7 {make known} Ensure that security policies and operational procedures for encrypting transmissions of cardholder data are documented, in use, and known to all affected parties. 4.3 {make known} Ensure that security policies and operational procedures for restricting physical access to cardholder data are documented, in use, and known to all affected parties. 9.10] | Operational management | Behavior | |
| Establish, implement, and maintain an Asset Management program. CC ID 06630 | Operational management | Business Processes | |
| Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 | Operational management | Establish/Maintain Documentation | |
| Classify assets according to the Asset Classification Policy. CC ID 07186 [Classify media so the sensitivity of the data can be determined. 9.6.1] | Operational management | Establish Roles | |
| Classify virtual systems by type and purpose. CC ID 16332 | Operational management | Business Processes | |
| Document the decision for assigning an asset to a specific asset classification in the Asset Classification Policy. CC ID 07185 | Operational management | Establish/Maintain Documentation | |
| Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. CC ID 07184 | Operational management | Establish Roles | |
| Disallow systems from processing information, disseminating and communicating information, or storing information that is above the system's assigned asset classification. CC ID 06606 | Operational management | Configuration | |
| Assign decomposed system components the same asset classification as the originating system. CC ID 06605 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an asset inventory. CC ID 06631 [Maintain an up-to-date list of devices. The list should include the following: - Make, model of device - Location of device (for example, the address of the site or facility where the device is located) - Device serial number or other method of unique identification. 9.9.1] | Operational management | Business Processes | |
| Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 [Maintain an inventory of system components that are in scope for PCI DSS. 2.4] | Operational management | Establish/Maintain Documentation | |
| Include all account types in the Information Technology inventory. CC ID 13311 | Operational management | Establish/Maintain Documentation | |
| Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695 | Operational management | Systems Design, Build, and Implementation | |
| Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289 | Operational management | Data and Information Management | |
| Include each Information System's major applications in the Information Technology inventory. CC ID 01407 | Operational management | Establish/Maintain Documentation | |
| Categorize all major applications according to the business information they process. CC ID 07182 | Operational management | Establish/Maintain Documentation | |
| Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164 | Operational management | Establish/Maintain Documentation | |
| Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408 | Operational management | Establish/Maintain Documentation | |
| Include each Information System's minor applications in the Information Technology inventory. CC ID 01409 | Operational management | Establish/Maintain Documentation | |
| Conduct environmental surveys. CC ID 00690 | Operational management | Physical and Environmental Protection | |
| Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a hardware asset inventory. CC ID 00691 | Operational management | Establish/Maintain Documentation | |
| Include network equipment in the Information Technology inventory. CC ID 00693 [Maintain an inventory of authorized wireless access points including a documented business justification. 11.1.1] | Operational management | Establish/Maintain Documentation | |
| Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719 | Operational management | Establish/Maintain Documentation | |
| Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885 | Operational management | Process or Activity | |
| Include software in the Information Technology inventory. CC ID 00692 | Operational management | Establish/Maintain Documentation | |
| Establish and maintain a list of authorized software and versions required for each system. CC ID 12093 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a storage media inventory. CC ID 00694 [Properly maintain inventory logs of all media and conduct media inventories at least annually. 9.7.1 Properly maintain inventory logs of all media and conduct media inventories at least annually. 9.7.1] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a records inventory and database inventory. CC ID 01260 | Operational management | Establish/Maintain Documentation | |
| Add inventoried assets to the asset register database, as necessary. CC ID 07051 | Operational management | Establish/Maintain Documentation | |
| Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181 | Operational management | Establish/Maintain Documentation | |
| Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054 | Operational management | Technical Security | |
| Link the authentication system to the asset inventory. CC ID 13718 | Operational management | Technical Security | |
| Record a unique name for each asset in the asset inventory. CC ID 16305 | Operational management | Data and Information Management | |
| Record the decommission date for applicable assets in the asset inventory. CC ID 14920 | Operational management | Establish/Maintain Documentation | |
| Record the status of information systems in the asset inventory. CC ID 16304 | Operational management | Data and Information Management | |
| Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301 | Operational management | Data and Information Management | |
| Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918 | Operational management | Establish/Maintain Documentation | |
| Include source code in the asset inventory. CC ID 14858 | Operational management | Records Management | |
| Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344 | Operational management | Human Resources Management | |
| Record the review date for applicable assets in the asset inventory. CC ID 14919 | Operational management | Establish/Maintain Documentation | |
| Record software license information for each asset in the asset inventory. CC ID 11736 | Operational management | Data and Information Management | |
| Record services for applicable assets in the asset inventory. CC ID 13733 | Operational management | Establish/Maintain Documentation | |
| Record protocols for applicable assets in the asset inventory. CC ID 13734 | Operational management | Establish/Maintain Documentation | |
| Record the software version in the asset inventory. CC ID 12196 | Operational management | Establish/Maintain Documentation | |
| Record the publisher for applicable assets in the asset inventory. CC ID 13725 | Operational management | Establish/Maintain Documentation | |
| Record the authentication system in the asset inventory. CC ID 13724 | Operational management | Establish/Maintain Documentation | |
| Tag unsupported assets in the asset inventory. CC ID 13723 | Operational management | Establish/Maintain Documentation | |
| Record the install date for applicable assets in the asset inventory. CC ID 13720 | Operational management | Establish/Maintain Documentation | |
| Record the make, model of device for applicable assets in the asset inventory. CC ID 12465 [Maintain an up-to-date list of devices. The list should include the following: - Make, model of device - Location of device (for example, the address of the site or facility where the device is located) - Device serial number or other method of unique identification. 9.9.1] | Operational management | Establish/Maintain Documentation | |
| Record the asset tag for physical assets in the asset inventory. CC ID 06632 | Operational management | Establish/Maintain Documentation | |
| Record the host name of applicable assets in the asset inventory. CC ID 13722 | Operational management | Establish/Maintain Documentation | |
| Record network ports for applicable assets in the asset inventory. CC ID 13730 | Operational management | Establish/Maintain Documentation | |
| Record the MAC address for applicable assets in the asset inventory. CC ID 13721 | Operational management | Establish/Maintain Documentation | |
| Record the operating system version for applicable assets in the asset inventory. CC ID 11748 | Operational management | Data and Information Management | |
| Record the operating system type for applicable assets in the asset inventory. CC ID 06633 | Operational management | Establish/Maintain Documentation | |
| Record rooms at external locations in the asset inventory. CC ID 16302 | Operational management | Data and Information Management | |
| Record the department associated with the asset in the asset inventory. CC ID 12084 | Operational management | Establish/Maintain Documentation | |
| Record the physical location for applicable assets in the asset inventory. CC ID 06634 [Maintain an up-to-date list of devices. The list should include the following: - Make, model of device - Location of device (for example, the address of the site or facility where the device is located) - Device serial number or other method of unique identification. 9.9.1] | Operational management | Establish/Maintain Documentation | |
| Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635 [Maintain an up-to-date list of devices. The list should include the following: - Make, model of device - Location of device (for example, the address of the site or facility where the device is located) - Device serial number or other method of unique identification. 9.9.1] | Operational management | Establish/Maintain Documentation | |
| Record the firmware version for applicable assets in the asset inventory. CC ID 12195 | Operational management | Establish/Maintain Documentation | |
| Record the related business function for applicable assets in the asset inventory. CC ID 06636 | Operational management | Establish/Maintain Documentation | |
| Record the deployment environment for applicable assets in the asset inventory. CC ID 06637 | Operational management | Establish/Maintain Documentation | |
| Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638 | Operational management | Establish/Maintain Documentation | |
| Record trusted keys and certificates in the asset inventory. CC ID 15486 | Operational management | Data and Information Management | |
| Record cipher suites and protocols in the asset inventory. CC ID 15489 | Operational management | Data and Information Management | |
| Link the software asset inventory to the hardware asset inventory. CC ID 12085 | Operational management | Establish/Maintain Documentation | |
| Record the owner for applicable assets in the asset inventory. CC ID 06640 | Operational management | Establish/Maintain Documentation | |
| Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696 | Operational management | Establish/Maintain Documentation | |
| Record all changes to assets in the asset inventory. CC ID 12190 | Operational management | Establish/Maintain Documentation | |
| Record cloud service derived data in the asset inventory. CC ID 13007 | Operational management | Establish/Maintain Documentation | |
| Include cloud service customer data in the asset inventory. CC ID 13006 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 | Operational management | Business Processes | |
| Include detection procedures in the Incident Management program. CC ID 00588 | Operational management | Establish/Maintain Documentation | |
| Include data loss event notifications in the Incident Response program. CC ID 00364 [Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum: - Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum - Specific incident response procedures - Business recovery and continuity procedures - Data backup processes - Analysis of legal requirements for reporting compromises - Coverage and responses of all critical system components - Reference or inclusion of incident response procedures from the payment brands. 12.10.1] | Operational management | Establish/Maintain Documentation | |
| Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954 [Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum: - Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum - Specific incident response procedures - Business recovery and continuity procedures - Data backup processes - Analysis of legal requirements for reporting compromises - Coverage and responses of all critical system components - Reference or inclusion of incident response procedures from the payment brands. 12.10.1] | Operational management | Establish/Maintain Documentation | |
| Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Operational management | Establish/Maintain Documentation | |
| Submit written requests to delay the notification of affected parties. CC ID 16783 | Operational management | Communicate | |
| Revoke the written request to delay the notification. CC ID 16843 | Operational management | Process or Activity | |
| Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985 | Operational management | Establish/Maintain Documentation | |
| Refrain from charging for providing incident response notifications. CC ID 13876 | Operational management | Business Processes | |
| Title breach notifications "Notice of Data Breach". CC ID 12977 | Operational management | Establish/Maintain Documentation | |
| Display titles of incident response notifications clearly and conspicuously. CC ID 12986 | Operational management | Establish/Maintain Documentation | |
| Display headings in incident response notifications clearly and conspicuously. CC ID 12987 | Operational management | Establish/Maintain Documentation | |
| Design the incident response notification to call attention to its nature and significance. CC ID 12984 | Operational management | Establish/Maintain Documentation | |
| Use plain language to write incident response notifications. CC ID 12976 | Operational management | Establish/Maintain Documentation | |
| Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 | Operational management | Establish/Maintain Documentation | |
| Refrain from including restricted information in the incident response notification. CC ID 16806 | Operational management | Actionable Reports or Measurements | |
| Include the affected parties rights in the incident response notification. CC ID 16811 | Operational management | Establish/Maintain Documentation | |
| Include details of the investigation in incident response notifications. CC ID 12296 | Operational management | Establish/Maintain Documentation | |
| Include the issuer's name in incident response notifications. CC ID 12062 | Operational management | Establish/Maintain Documentation | |
| Include a "What Happened" heading in breach notifications. CC ID 12978 | Operational management | Establish/Maintain Documentation | |
| Include a general description of the data loss event in incident response notifications. CC ID 04734 | Operational management | Establish/Maintain Documentation | |
| Include time information in incident response notifications. CC ID 04745 | Operational management | Establish/Maintain Documentation | |
| Include the identification of the data source in incident response notifications. CC ID 12305 | Operational management | Establish/Maintain Documentation | |
| Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 | Operational management | Establish/Maintain Documentation | |
| Include the type of information that was lost in incident response notifications. CC ID 04735 | Operational management | Establish/Maintain Documentation | |
| Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 | Operational management | Establish/Maintain Documentation | |
| Include a "What We Are Doing" heading in the breach notification. CC ID 12982 | Operational management | Establish/Maintain Documentation | |
| Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 | Operational management | Establish/Maintain Documentation | |
| Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 | Operational management | Establish/Maintain Documentation | |
| Include a "For More Information" heading in breach notifications. CC ID 12981 | Operational management | Establish/Maintain Documentation | |
| Include details of the companies and persons involved in incident response notifications. CC ID 12295 | Operational management | Establish/Maintain Documentation | |
| Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 | Operational management | Establish/Maintain Documentation | |
| Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Operational management | Establish/Maintain Documentation | |
| Include any consequences in the incident response notifications. CC ID 12604 | Operational management | Establish/Maintain Documentation | |
| Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 | Operational management | Establish/Maintain Documentation | |
| Include a "What You Can Do" heading in the breach notification. CC ID 12980 | Operational management | Establish/Maintain Documentation | |
| Include contact information in incident response notifications. CC ID 04739 | Operational management | Establish/Maintain Documentation | |
| Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Operational management | Communicate | |
| Post the incident response notification on the organization's website. CC ID 16809 | Operational management | Process or Activity | |
| Document the determination for providing a substitute incident response notification. CC ID 16841 | Operational management | Process or Activity | |
| Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 | Operational management | Behavior | |
| Include contact information in the substitute incident response notification. CC ID 16776 | Operational management | Establish/Maintain Documentation | |
| Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748 | Operational management | Establish/Maintain Documentation | |
| Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 | Operational management | Behavior | |
| Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 | Operational management | Behavior | |
| Analyze security violations in Suspicious Activity Reports. CC ID 00591 | Operational management | Establish/Maintain Documentation | |
| Update the incident response procedures using the lessons learned. CC ID 01233 [Develop a process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments. 12.10.6] | Operational management | Establish/Maintain Documentation | |
| Include incident response procedures in the Incident Management program. CC ID 01218 [Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum: - Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum - Specific incident response procedures - Business recovery and continuity procedures - Data backup processes - Analysis of legal requirements for reporting compromises - Coverage and responses of all critical system components - Reference or inclusion of incident response procedures from the payment brands. 12.10.1] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 [Implement an incident response plan. Be prepared to respond immediately to a system breach. 12.10 Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum: - Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum - Specific incident response procedures - Business recovery and continuity procedures - Data backup processes - Analysis of legal requirements for reporting compromises - Coverage and responses of all critical system components - Reference or inclusion of incident response procedures from the payment brands. 12.10.1] | Operational management | Establish/Maintain Documentation | |
| Create an incident response report following an incident response. CC ID 12700 | Operational management | Establish/Maintain Documentation | |
| Include disciplinary actions taken in the incident response report. CC ID 16810 | Operational management | Establish/Maintain Documentation | |
| Include the persons responsible for the incident in the incident response report. CC ID 16808 | Operational management | Establish/Maintain Documentation | |
| Include the number of individuals the incident response notification was sent to in the incident response report. CC ID 16789 | Operational management | Establish/Maintain Documentation | |
| Include any consequences to organizational reputation and confidence due to the incident in the incident response report. CC ID 12728 | Operational management | Establish/Maintain Documentation | |
| Include the number of customers that were affected by the incident in the incident response report. CC ID 12727 | Operational management | Establish/Maintain Documentation | |
| Include investments associated with the incident in the incident response report. CC ID 12726 | Operational management | Establish/Maintain Documentation | |
| Include costs associated with the incident in the incident response report. CC ID 12725 | Operational management | Establish/Maintain Documentation | |
| Include losses due to the incident in the incident response report. CC ID 12724 | Operational management | Establish/Maintain Documentation | |
| Include a description of the impact the incident had on customer service in the incident response report. CC ID 12735 | Operational management | Establish/Maintain Documentation | |
| Include foregone revenue from the incident in the incident response report. CC ID 12723 | Operational management | Establish/Maintain Documentation | |
| Include the magnitude of the incident in the incident response report. CC ID 12722 | Operational management | Establish/Maintain Documentation | |
| Include implications of the incident in the incident response report. CC ID 12721 | Operational management | Establish/Maintain Documentation | |
| Include measures to prevent similar incidents from occurring in the incident response report. CC ID 12720 | Operational management | Establish/Maintain Documentation | |
| Include breaches of regulatory requirements due to the incident in the incident response report. CC ID 12719 | Operational management | Establish/Maintain Documentation | |
| Include information on all affected assets in the incident response report. CC ID 12718 | Operational management | Establish/Maintain Documentation | |
| Include the scope of the incident in the incident response report. CC ID 12717 | Operational management | Establish/Maintain Documentation | |
| Include the duration of the incident in the incident response report. CC ID 12716 | Operational management | Establish/Maintain Documentation | |
| Include the extent of the incident in the incident response report. CC ID 12715 | Operational management | Establish/Maintain Documentation | |
| Include measures to mitigate the root causes of the incident in the incident response report. CC ID 12714 | Operational management | Establish/Maintain Documentation | |
| Include the reasons the incident occurred in the incident response report. CC ID 12711 | Operational management | Establish/Maintain Documentation | |
| Include the frequency of similar incidents occurring in the incident response report. CC ID 12712 | Operational management | Establish/Maintain Documentation | |
| Include lessons learned from the incident in the incident response report. CC ID 12713 | Operational management | Establish/Maintain Documentation | |
| Include where the incident occurred in the incident response report. CC ID 12710 | Operational management | Establish/Maintain Documentation | |
| Include when the incident occurred in the incident response report. CC ID 12709 | Operational management | Establish/Maintain Documentation | |
| Include corrective action taken to eradicate the incident in the incident response report. CC ID 12708 | Operational management | Establish/Maintain Documentation | |
| Include a description of the impact the incident had on regulatory compliance in the incident response report. CC ID 12704 | Operational management | Establish/Maintain Documentation | |
| Include a description of the impact the incident had on operations in the incident response report. CC ID 12703 | Operational management | Establish/Maintain Documentation | |
| Include an executive summary of the incident in the incident response report. CC ID 12702 | Operational management | Establish/Maintain Documentation | |
| Include a root cause analysis of the incident in the incident response report. CC ID 12701 | Operational management | Establish/Maintain Documentation | |
| Submit the incident response report to the proper authorities in a timely manner. CC ID 12705 | Operational management | Communicate | |
| Employ tools and mechanisms to support the organization's Incident Response program. CC ID 13182 | Operational management | Acquisition/Sale of Assets or Services | |
| Define target resolution times for incident response in the Incident Response program. CC ID 13072 | Operational management | Establish/Maintain Documentation | |
| Mitigate reported incidents. CC ID 12973 | Operational management | Actionable Reports or Measurements | |
| Establish, implement, and maintain an incident response plan. CC ID 12056 | Operational management | Establish/Maintain Documentation | |
| Include addressing external communications in the incident response plan. CC ID 13351 | Operational management | Establish/Maintain Documentation | |
| Include addressing internal communications in the incident response plan. CC ID 13350 | Operational management | Establish/Maintain Documentation | |
| Include change control procedures in the incident response plan. CC ID 15479 | Operational management | Establish/Maintain Documentation | |
| Include addressing information sharing in the incident response plan. CC ID 13349 | Operational management | Establish/Maintain Documentation | |
| Include dynamic reconfiguration in the incident response plan. CC ID 14306 | Operational management | Establish/Maintain Documentation | |
| Include a definition of reportable incidents in the incident response plan. CC ID 14303 | Operational management | Establish/Maintain Documentation | |
| Include the management support needed for incident response in the incident response plan. CC ID 14300 | Operational management | Establish/Maintain Documentation | |
| Include root cause analysis in the incident response plan. CC ID 16423 | Operational management | Establish/Maintain Documentation | |
| Include how incident response fits into the organization in the incident response plan. CC ID 14294 | Operational management | Establish/Maintain Documentation | |
| Include the resources needed for incident response in the incident response plan. CC ID 14292 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a cyber incident response plan. CC ID 13286 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the cyber incident response plan to interested personnel and affected parties. CC ID 16838 | Operational management | Communicate | |
| Include incident response team structures in the Incident Response program. CC ID 01237 | Operational management | Establish/Maintain Documentation | |
| Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 [{incident response team member} Designate specific personnel to be available on a 24/7 basis to respond to alerts. 12.10.3 Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum: - Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum - Specific incident response procedures - Business recovery and continuity procedures - Data backup processes - Analysis of legal requirements for reporting compromises - Coverage and responses of all critical system components - Reference or inclusion of incident response procedures from the payment brands. 12.10.1] | Operational management | Establish Roles | |
| Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 | Operational management | Establish Roles | |
| Include the head of information security's roles and responsibilities in the Incident Response program. CC ID 01878 | Operational management | Establish Roles | |
| Include the customer database owner's roles and responsibilities in the Incident Response program. CC ID 01879 | Operational management | Establish Roles | |
| Include the online sales department's roles and responsibilities in the Incident Response program. CC ID 01880 | Operational management | Establish Roles | |
| Include the incident response point of contact for credit card payment system's roles and responsibilities in the Incident Response program. CC ID 01881 | Operational management | Establish Roles | |
| Include the organizational legal counsel's roles and responsibilities in the Incident Response program. CC ID 01882 | Operational management | Establish Roles | |
| Include the Human Resources point of contact's roles and responsibilities in the Incident Response program. CC ID 01883 | Operational management | Establish Roles | |
| Include the organizational incident response network architecture point of contact's roles and responsibilities in the Incident Response program. CC ID 01884 | Operational management | Establish Roles | |
| Include the organizational incident response public relations point of contact's roles and responsibilities in the Incident Response program. CC ID 01885 | Operational management | Establish Roles | |
| Include the organizational incident response location manager's roles and responsibilities in the Incident Response program. CC ID 01886 | Operational management | Establish Roles | |
| Assign the distribution of security alerts to the appropriate role in the incident response program. CC ID 11887 [Formally assign information security responsibilities for: Monitor and analyze security alerts and information, and distribute to appropriate personnel. 12.5.2] | Operational management | Human Resources Management | |
| Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program. CC ID 12473 [Formally assign information security responsibilities for: Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations. 12.5.3] | Operational management | Establish/Maintain Documentation | |
| Assign the distribution of incident response procedures to the appropriate role in the incident response program. CC ID 12474 [Formally assign information security responsibilities for: Establish, document, and distribute</span> security incident response and escalation procedures to ensure timely and effective handling of all situations. 12.5.3] | Operational management | Communicate | |
| Include personnel contact information in the event of an incident in the Incident Response program. CC ID 06385 | Operational management | Establish/Maintain Documentation | |
| Include what information interested personnel and affected parties need in the event of an incident in the Incident Response program. CC ID 11789 | Operational management | Establish/Maintain Documentation | |
| Include identifying remediation actions in the incident response plan. CC ID 13354 | Operational management | Establish/Maintain Documentation | |
| Include procedures for providing updated status information to the crisis management team in the incident response plan. CC ID 12776 | Operational management | Establish/Maintain Documentation | |
| Include coverage of all system components in the Incident Response program. CC ID 11955 [Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum: - Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum - Specific incident response procedures - Business recovery and continuity procedures - Data backup processes - Analysis of legal requirements for reporting compromises - Coverage and responses of all critical system components - Reference or inclusion of incident response procedures from the payment brands. 12.10.1] | Operational management | Establish/Maintain Documentation | |
| Prepare for incident response notifications. CC ID 00584 | Operational management | Establish/Maintain Documentation | |
| Include incident response team services in the Incident Response program. CC ID 11766 | Operational management | Establish/Maintain Documentation | |
| Include the incident response training program in the Incident Response program. CC ID 06750 | Operational management | Establish/Maintain Documentation | |
| Incorporate simulated events into the incident response training program. CC ID 06751 | Operational management | Behavior | |
| Incorporate realistic exercises that are tested into the incident response training program. CC ID 06753 | Operational management | Behavior | |
| Conduct incident response training. CC ID 11889 [Provide appropriate training to staff with security breach response responsibilities. 12.10.4] | Operational management | Training | |
| Establish, implement, and maintain an incident response policy. CC ID 14024 | Operational management | Establish/Maintain Documentation | |
| Include compliance requirements in the incident response policy. CC ID 14108 | Operational management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the incident response policy. CC ID 14107 | Operational management | Establish/Maintain Documentation | |
| Include management commitment in the incident response policy. CC ID 14106 | Operational management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the incident response policy. CC ID 14105 | Operational management | Establish/Maintain Documentation | |
| Include the scope in the incident response policy. CC ID 14104 | Operational management | Establish/Maintain Documentation | |
| Include the purpose in the incident response policy. CC ID 14101 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the incident response policy to interested personnel and affected parties. CC ID 14099 | Operational management | Communicate | |
| Include references to industry best practices in the incident response procedures. CC ID 11956 [Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum: - Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum - Specific incident response procedures - Business recovery and continuity procedures - Data backup processes - Analysis of legal requirements for reporting compromises - Coverage and responses of all critical system components - Reference or inclusion of incident response procedures from the payment brands. 12.10.1] | Operational management | Establish/Maintain Documentation | |
| Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949 [{intrusion detection system} {intrusion prevention system} In the incident response plan Include alerts from security monitoring systems, including but not limited to intrusion-detection, intrusion-prevention, firewalls, and file-integrity monitoring systems. 12.10.5] | Operational management | Establish/Maintain Documentation | |
| Maintain contact with breach notification organizations for notification purposes in the event a privacy breach has occurred. CC ID 01213 | Operational management | Behavior | |
| Include business continuity procedures in the Incident Response program. CC ID 06433 [Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum: - Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum - Specific incident response procedures - Business recovery and continuity procedures - Data backup processes - Analysis of legal requirements for reporting compromises - Coverage and responses of all critical system components - Reference or inclusion of incident response procedures from the payment brands. 12.10.1] | Operational management | Establish/Maintain Documentation | |
| Coordinate backup procedures as defined in the system continuity plan with backup procedures necessary for incident response procedures. CC ID 06432 [Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum: - Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum - Specific incident response procedures - Business recovery and continuity procedures - Data backup processes - Analysis of legal requirements for reporting compromises - Coverage and responses of all critical system components - Reference or inclusion of incident response procedures from the payment brands. 12.10.1] | Operational management | Establish/Maintain Documentation | |
| Include consumer protection procedures in the Incident Response program. CC ID 12755 | Operational management | Systems Continuity | |
| Include the reimbursement of customers for financial losses due to incidents in the Incident Response program. CC ID 12756 | Operational management | Business Processes | |
| Include business recovery procedures in the Incident Response program. CC ID 11774 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a digital forensic evidence framework. CC ID 08652 | Operational management | Establish/Maintain Documentation | |
| Retain collected evidence for potential future legal actions. CC ID 01235 | Operational management | Records Management | |
| Define the business scenarios that require digital forensic evidence. CC ID 08653 | Operational management | Establish/Maintain Documentation | |
| Define the circumstances for collecting digital forensic evidence. CC ID 08657 | Operational management | Establish/Maintain Documentation | |
| Identify potential sources of digital forensic evidence. CC ID 08651 | Operational management | Investigate | |
| Document the legal requirements for evidence collection. CC ID 08654 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a digital forensic evidence collection program. CC ID 08655 | Operational management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the digital forensic evidence collection program. CC ID 15724 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain secure storage and handling of evidence procedures. CC ID 08656 | Operational management | Records Management | |
| Disseminate and communicate the incident response procedures to all interested personnel and affected parties. CC ID 01215 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the final incident report, which includes the investigation results and any remediation activity results. CC ID 12306 | Operational management | Actionable Reports or Measurements | |
| Document the results of incident response tests and provide them to senior management. CC ID 14857 | Operational management | Actionable Reports or Measurements | |
| Establish, implement, and maintain a change control program. CC ID 00886 | Operational management | Establish/Maintain Documentation | |
| Separate the production environment from development environment or test environment for the change control process. CC ID 11864 [The change control processes must include Separate development/test environments from production environments, and enforce the separation with access controls. 6.4.1] | Operational management | Maintenance | |
| Establish, implement, and maintain a back-out plan. CC ID 13623 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373 [Change control procedures related to the implementation of security patches and software modifications must include Back-out procedures. 6.4.5.4] | Operational management | Establish/Maintain Documentation | |
| Manage change requests. CC ID 00887 | Operational management | Business Processes | |
| Include documentation of the impact level of proposed changes in the change request. CC ID 11942 [Change control procedures related to the implementation of security patches and software modifications must include Documentation of impact. 6.4.5.1] | Operational management | Establish/Maintain Documentation | |
| Approve tested change requests. CC ID 11783 [{approve} Change control procedures related to the implementation of security patches and software modifications must include Documented change approval by authorized parties. 6.4.5.2] | Operational management | Data and Information Management | |
| Validate the system before implementing approved changes. CC ID 01510 | Operational management | Systems Design, Build, and Implementation | |
| Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 | Operational management | Behavior | |
| Implement changes according to the change control program. CC ID 11776 [Follow change control processes and procedures for all changes to system components. The processes must include the following: 6.4] | Operational management | Business Processes | |
| Provide audit trails for all approved changes. CC ID 13120 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a patch management program. CC ID 00896 | Operational management | Process or Activity | |
| Establish, implement, and maintain a Configuration Management program. CC ID 00867 [{make known} Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties. 2.5 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. 2.2] | System hardening through configuration management | Establish/Maintain Documentation | |
| Establish, implement, and maintain configuration control and Configuration Status Accounting. CC ID 00863 | System hardening through configuration management | Business Processes | |
| Establish, implement, and maintain appropriate system labeling. CC ID 01900 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the identification number of the third party who performed the conformity assessment procedures on all promotional materials. CC ID 15041 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the identification number of the third party who conducted the conformity assessment procedures after the CE marking of conformity. CC ID 15040 | System hardening through configuration management | Establish/Maintain Documentation | |
| Verify configuration files requiring passwords for automation do not contain those passwords after the installation process is complete. CC ID 06555 | System hardening through configuration management | Configuration | |
| Establish, implement, and maintain a configuration management policy. CC ID 14023 | System hardening through configuration management | Establish/Maintain Documentation | |
| Establish, implement, and maintain configuration management procedures. CC ID 14074 | System hardening through configuration management | Establish/Maintain Documentation | |
| Disseminate and communicate the configuration management procedures to interested personnel and affected parties. CC ID 14139 | System hardening through configuration management | Communicate | |
| Include compliance requirements in the configuration management policy. CC ID 14072 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the configuration management policy. CC ID 14071 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include management commitment in the configuration management policy. CC ID 14070 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the configuration management policy. CC ID 14069 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the scope in the configuration management policy. CC ID 14068 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the purpose in the configuration management policy. CC ID 14067 | System hardening through configuration management | Establish/Maintain Documentation | |
| Disseminate and communicate the configuration management policy to interested personnel and affected parties. CC ID 14066 | System hardening through configuration management | Communicate | |
| Establish, implement, and maintain a configuration management plan. CC ID 01901 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include configuration management procedures in the configuration management plan. CC ID 14248 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the configuration management plan. CC ID 14247 | System hardening through configuration management | Establish/Maintain Documentation | |
| Approve the configuration management plan. CC ID 14717 | System hardening through configuration management | Business Processes | |
| Establish, implement, and maintain system tracking documentation. CC ID 15266 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include prioritization codes in the system tracking documentation. CC ID 15283 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the type and category of the request in the system tracking documentation. CC ID 15281 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include contact information in the system tracking documentation. CC ID 15280 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the username in the system tracking documentation. CC ID 15278 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include a problem description in the system tracking documentation. CC ID 15276 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include affected systems in the system tracking documentation. CC ID 15275 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include root causes in the system tracking documentation. CC ID 15274 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the name of who is responsible for resolution in the system tracking documentation. CC ID 15273 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include current status in the system tracking documentation. CC ID 15272 | System hardening through configuration management | Establish/Maintain Documentation | |
| Employ the Configuration Management program. CC ID 11904 [{make known} Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties. 2.5] | System hardening through configuration management | Configuration | |
| Record Configuration Management items in the Configuration Management database. CC ID 00861 | System hardening through configuration management | Establish/Maintain Documentation | |
| Disseminate and communicate the configuration management program to all interested personnel and affected parties. CC ID 11946 [{make known} Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties. 2.5] | System hardening through configuration management | Communicate | |
| Establish, implement, and maintain a Configuration Management Database with accessible reporting capabilities. CC ID 02132 | System hardening through configuration management | Establish/Maintain Documentation | |
| Document external connections for all systems. CC ID 06415 | System hardening through configuration management | Configuration | |
| Establish, implement, and maintain a configuration baseline based on the least functionality principle. CC ID 00862 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the measures used to account for any differences in operation between the test environments and production environments in the baseline configuration. CC ID 13285 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the differences between test environments and production environments in the baseline configuration. CC ID 13284 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the applied security patches in the baseline configuration. CC ID 13271 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the installed application software and version numbers in the baseline configuration. CC ID 13270 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include installed custom software in the baseline configuration. CC ID 13274 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include network ports in the baseline configuration. CC ID 13273 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the operating systems and version numbers in the baseline configuration. CC ID 13269 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include backup procedures in the Configuration Management policy. CC ID 01314 | System hardening through configuration management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a system hardening standard. CC ID 00876 | System hardening through configuration management | Establish/Maintain Documentation | |
| Establish, implement, and maintain configuration standards for all systems based upon industry best practices. CC ID 11953 [Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. 2.2] | System hardening through configuration management | Configuration | |
| Include common security parameter settings in the configuration standards for all systems. CC ID 12544 | System hardening through configuration management | Establish/Maintain Documentation | |
| Apply configuration standards to all systems, as necessary. CC ID 12503 | System hardening through configuration management | Configuration | |
| Document and justify system hardening standard exceptions. CC ID 06845 | System hardening through configuration management | Configuration | |
| Configure security parameter settings on all system components appropriately. CC ID 12041 | System hardening through configuration management | Technical Security | |
| Provide documentation verifying devices are not susceptible to known exploits. CC ID 11987 | System hardening through configuration management | Establish/Maintain Documentation | |
| Establish, implement, and maintain system hardening procedures. CC ID 12001 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure session timeout and reauthentication settings according to organizational standards. CC ID 12460 [If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or erb">style="background-color:#F0BBBC;" class="term_primary-noun">session. 8.1.8] | System hardening through configuration management | Technical Security | |
| Configure automatic logoff to terminate the sessions based on inactivity according to organizational standards. CC ID 04490 | System hardening through configuration management | Configuration | |
| Display an explicit logout message when disconnecting an authenticated communications session. CC ID 10093 | System hardening through configuration management | Configuration | |
| Invalidate session identifiers upon session termination. CC ID 10649 | System hardening through configuration management | Technical Security | |
| Change default configurations, as necessary. CC ID 00877 [Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network. 2.1 For wireless environments connected to the cardholder data environment or transmitting cardholder data, change ALL wireless vendor defaults at installation, including but not limited to default wireless encryption keys, passwords, and SNMP community strings. 2.1.1] | System hardening through configuration management | Configuration | |
| Configure custom security parameters for X-Windows. CC ID 02168 | System hardening through configuration management | Configuration | |
| Configure custom security settings for Lotus Domino. CC ID 02171 | System hardening through configuration management | Configuration | |
| Configure custom security settings for the Automated Security Enhancement Tool. CC ID 02177 | System hardening through configuration management | Configuration | |
| Configure custom Security settings for Sun Answerbook2. CC ID 02178 | System hardening through configuration management | Configuration | |
| Configure custom security settings for Command (PROM) Monitor. CC ID 02180 | System hardening through configuration management | Configuration | |
| Configure and secure each interface for Executive Interfaces. CC ID 02182 | System hardening through configuration management | Configuration | |
| Reconfigure the default settings and configure the system security for Site Management Complex. CC ID 02183 | System hardening through configuration management | Configuration | |
| Configure the unisys executive (GENNED) GEN tags. CC ID 02184 | System hardening through configuration management | Configuration | |
| Reconfigure the default Console Mode privileges. CC ID 02189 | System hardening through configuration management | Configuration | |
| Restrict access to security-related Console Mode key-in groups based on the security profiles. CC ID 02190 | System hardening through configuration management | Configuration | |
| Configure security profiles for the various Console Mode levels. CC ID 02191 | System hardening through configuration management | Configuration | |
| Configure custom access privileges for all mapper files. CC ID 02194 | System hardening through configuration management | Configuration | |
| Configure custom access privileges for the PSERVER configuration file. CC ID 02195 | System hardening through configuration management | Configuration | |
| Configure custom access privileges for the DEPCON configuration file. CC ID 02196 | System hardening through configuration management | Configuration | |
| Disable the default NetWare user web page unless absolutely necessary. CC ID 04447 | System hardening through configuration management | Configuration | |
| Enable and reset the primary administrator names, primary administrator passwords, root names, and root passwords. CC ID 04448 | System hardening through configuration management | Configuration | |
| Remove unnecessary documentation or unprotected documentation from installed applications. CC ID 04452 | System hardening through configuration management | Configuration | |
| Complete the NetWare eGuide configuration. CC ID 04449 | System hardening through configuration management | Configuration | |
| Verify the usr/aset/masters/uid_aliases file exists and contains an appropriate aliases list. CC ID 04902 | System hardening through configuration management | Configuration | |
| Set the low security directory list properly. CC ID 04903 | System hardening through configuration management | Configuration | |
| Set the medium security directory list properly. CC ID 04904 | System hardening through configuration management | Configuration | |
| Set the high security directory list properly. CC ID 04905 | System hardening through configuration management | Configuration | |
| Set the UID aliases pointer properly. CC ID 04906 | System hardening through configuration management | Configuration | |
| Verify users are listed in the ASET userlist file. CC ID 04907 | System hardening through configuration management | Technical Security | |
| Verify Automated Security Enhancement Tool checks the NIS+ tables, as appropriate. CC ID 04908 | System hardening through configuration management | Testing | |
| Reconfigure the encryption keys from their default setting or previous setting. CC ID 06079 [For wireless environments connected to the cardholder data environment or transmitting cardholder data, change ALL wireless vendor defaults at installation, including but not limited to default wireless encryption keys, passwords, and SNMP community strings. 2.1.1] | System hardening through configuration management | Configuration | |
| Change the default Service Set Identifier for Wireless Access Points and wireless bridges. CC ID 06086 | System hardening through configuration management | Configuration | |
| Revoke public execute privileges for all processes or applications that allow such privileges. CC ID 06568 | System hardening through configuration management | Configuration | |
| Configure the system's booting configuration. CC ID 10656 | System hardening through configuration management | Configuration | |
| Configure the system to boot directly to the correct Operating System. CC ID 04509 | System hardening through configuration management | Configuration | |
| Verify an appropriate bootloader is used. CC ID 04900 | System hardening through configuration management | Configuration | |
| Configure the ability to boot from USB devices, as appropriate. CC ID 04901 | System hardening through configuration management | Configuration | |
| Configure the system to boot from hardware enforced read-only media. CC ID 10657 | System hardening through configuration management | Configuration | |
| Configure Simple Network Management Protocol (SNMP) to organizational standards. CC ID 12423 | System hardening through configuration management | Configuration | |
| Change the community string for Simple Network Management Protocol, as necessary. CC ID 01872 [For wireless environments connected to the cardholder data environment or transmitting cardholder data, change ALL wireless vendor defaults at installation, including but not limited to default wireless encryption keys, passwords, and SNMP community strings. 2.1.1] | System hardening through configuration management | Configuration | |
| Configure the system's storage media. CC ID 10618 | System hardening through configuration management | Configuration | |
| Configure the system's electronic storage media's encryption settings. CC ID 11927 [Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components. 8.2.1] | System hardening through configuration management | Configuration | |
| Implement only one application or primary function per network component or server. CC ID 00879 [Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. 2.2.1] | System hardening through configuration management | Systems Design, Build, and Implementation | |
| Remove all unnecessary functionality. CC ID 00882 [Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers. 2.2.5] | System hardening through configuration management | Configuration | |
| Document that all enabled functions support secure configurations. CC ID 11985 | System hardening through configuration management | Establish/Maintain Documentation | |
| Find and eradicate unauthorized world writable files. CC ID 01541 | System hardening through configuration management | Configuration | |
| Strip dangerous/unneeded SUID/SGID system executables. CC ID 01542 | System hardening through configuration management | Configuration | |
| Find and eradicate unauthorized SUID/SGID system executables. CC ID 01543 | System hardening through configuration management | Configuration | |
| Find and eradicate unowned files and unowned directories. CC ID 01544 | System hardening through configuration management | Configuration | |
| Disable logon prompts on serial ports. CC ID 01553 | System hardening through configuration management | Configuration | |
| Disable "nobody" access for Secure RPC. CC ID 01554 | System hardening through configuration management | Configuration | |
| Disable all unnecessary interfaces. CC ID 04826 | System hardening through configuration management | Configuration | |
| Enable or disable all unused USB ports as appropriate. CC ID 06042 | System hardening through configuration management | Configuration | |
| Disable all user-mounted removable file systems. CC ID 01536 | System hardening through configuration management | Configuration | |
| Set the Bluetooth Security Mode to the organizational standard. CC ID 00587 | System hardening through configuration management | Configuration | |
| Secure the Bluetooth headset connections. CC ID 00593 | System hardening through configuration management | Configuration | |
| Disable automatic dial-in access to computers that have installed modems. CC ID 02036 | System hardening through configuration management | Configuration | |
| Configure the "Turn off AutoPlay" setting. CC ID 01787 | System hardening through configuration management | Configuration | |
| Configure the "Devices: Restrict floppy access to locally logged on users only" setting. CC ID 01732 | System hardening through configuration management | Configuration | |
| Configure the "Devices: Restrict CD-ROM access to locally logged on users" setting. CC ID 01731 | System hardening through configuration management | Configuration | |
| Configure the "Remove CD Burning features" setting. CC ID 04379 | System hardening through configuration management | Configuration | |
| Disable Autorun. CC ID 01790 | System hardening through configuration management | Configuration | |
| Disable USB devices (aka hotplugger). CC ID 01545 | System hardening through configuration management | Configuration | |
| Enable or disable all unused auxiliary ports as appropriate. CC ID 06414 | System hardening through configuration management | Configuration | |
| Remove rhosts support unless absolutely necessary. CC ID 01555 | System hardening through configuration management | Configuration | |
| Remove weak authentication services from Pluggable Authentication Modules. CC ID 01556 | System hardening through configuration management | Configuration | |
| Remove the /etc/hosts.equiv file. CC ID 01559 | System hardening through configuration management | Configuration | |
| Create the /etc/ftpd/ftpusers file. CC ID 01560 | System hardening through configuration management | Configuration | |
| Remove the X Wrapper and enable the X Display Manager. CC ID 01564 | System hardening through configuration management | Configuration | |
| Remove empty crontab files and restrict file permissions to the file. CC ID 01571 | System hardening through configuration management | Configuration | |
| Remove all compilers and assemblers from the system. CC ID 01594 | System hardening through configuration management | Configuration | |
| Disable all unnecessary applications unless otherwise noted in a policy exception. CC ID 04827 | System hardening through configuration management | Configuration | |
| Restrict and control the use of privileged utility programs. CC ID 12030 | System hardening through configuration management | Technical Security | |
| Disable the storing of movies in cache in Apple's QuickTime. CC ID 04489 | System hardening through configuration management | Configuration | |
| Install and enable file sharing utilities, as necessary. CC ID 02174 | System hardening through configuration management | Configuration | |
| Disable boot services unless boot services are absolutely necessary. CC ID 01481 | System hardening through configuration management | Configuration | |
| Disable File Services for Macintosh unless File Services for Macintosh are absolutely necessary. CC ID 04279 | System hardening through configuration management | Configuration | |
| Configure the Trivial FTP Daemon service to organizational standards. CC ID 01484 | System hardening through configuration management | Configuration | |
| Disable printer daemons or the printer service unless printer daemons or the printer service is absolutely necessary. CC ID 01487 | System hardening through configuration management | Configuration | |
| Disable web server unless web server is absolutely necessary. CC ID 01490 | System hardening through configuration management | Configuration | |
| Disable portmapper unless portmapper is absolutely necessary. CC ID 01492 | System hardening through configuration management | Configuration | |
| Disable writesrv, pmd, and httpdlite unless writesrv, pmd, and httpdlite are absolutely necessary. CC ID 01498 | System hardening through configuration management | Configuration | |
| Disable hwscan hardware detection unless hwscan hardware detection is absolutely necessary. CC ID 01504 | System hardening through configuration management | Configuration | |
| Configure the “xinetd” service to organizational standards. CC ID 01509 | System hardening through configuration management | Configuration | |
| Configure the /etc/xinetd.conf file permissions as appropriate. CC ID 01568 | System hardening through configuration management | Configuration | |
| Disable inetd unless inetd is absolutely necessary. CC ID 01508 | System hardening through configuration management | Configuration | |
| Disable Network Computing System unless it is absolutely necessary. CC ID 01497 | System hardening through configuration management | Configuration | |
| Disable print server for macintosh unless print server for macintosh is absolutely necessary. CC ID 04284 | System hardening through configuration management | Configuration | |
| Disable Print Server unless Print Server is absolutely necessary. CC ID 01488 | System hardening through configuration management | Configuration | |
| Disable ruser/remote login/remote shell/rcp command, unless it is absolutely necessary. CC ID 01480 | System hardening through configuration management | Configuration | |
| Disable xfsmd unless xfsmd is absolutely necessary. CC ID 02179 | System hardening through configuration management | Configuration | |
| Disable RPC-based services unless RPC-based services are absolutely necessary. CC ID 01455 | System hardening through configuration management | Configuration | |
| Disable netfs script unless netfs script is absolutely necessary. CC ID 01495 | System hardening through configuration management | Configuration | |
| Disable Remote Procedure Calls unless Remote Procedure Calls are absolutely necessary and if enabled, set restrictions. CC ID 01456 | System hardening through configuration management | Configuration | |
| Configure the "RPC Endpoint Mapper Client Authentication" setting. CC ID 04327 | System hardening through configuration management | Configuration | |
| Disable ncpfs Script unless ncpfs Script is absolutely necessary. CC ID 01494 | System hardening through configuration management | Configuration | |
| Disable sendmail server unless sendmail server is absolutely necessary. CC ID 01511 | System hardening through configuration management | Configuration | |
| Disable postfix unless postfix is absolutely necessary. CC ID 01512 | System hardening through configuration management | Configuration | |
| Disable directory server unless directory server is absolutely necessary. CC ID 01464 | System hardening through configuration management | Configuration | |
| Disable Windows-compatibility client processes unless Windows-compatibility client processes are absolutely necessary. CC ID 01471 | System hardening through configuration management | Configuration | |
| Disable Windows-compatibility servers unless Windows-compatibility servers are absolutely necessary. CC ID 01470 | System hardening through configuration management | Configuration | |
| Configure the “Network File System” server to organizational standards CC ID 01472 | System hardening through configuration management | Configuration | |
| Configure NFS to respond or not as appropriate to NFS client requests that do not include a User ID. CC ID 05981 | System hardening through configuration management | Configuration | |
| Configure NFS with appropriate authentication methods. CC ID 05982 | System hardening through configuration management | Configuration | |
| Configure the "AUTH_DES authentication mechanism" for "NFS server" setting to organizational standards. CC ID 08971 | System hardening through configuration management | Configuration | |
| Configure the "AUTH_KERB authentication mechanism" for "NFS server" setting to organizational standards. CC ID 08972 | System hardening through configuration management | Configuration | |
| Configure the "AUTH_NONE authentication mechanism" for "NFS server" setting to organizational standards. CC ID 08973 | System hardening through configuration management | Configuration | |
| Configure the "AUTH_UNIX authentication mechanism" for "NFS server" setting to organizational standards. CC ID 08974 | System hardening through configuration management | Configuration | |
| Disable webmin processes unless the webmin process is absolutely necessary. CC ID 01501 | System hardening through configuration management | Configuration | |
| Disable automount daemon unless automount daemon is absolutely necessary. CC ID 01476 | System hardening through configuration management | Configuration | |
| Disable CDE-related daemons unless CDE-related daemons are absolutely necessary. CC ID 01474 | System hardening through configuration management | Configuration | |
| Disable finger unless finger is absolutely necessary. CC ID 01505 | System hardening through configuration management | Configuration | |
| Disable Rexec unless Rexec is absolutely necessary. CC ID 02164 | System hardening through configuration management | Configuration | |
| Disable Squid cache server unless Squid cache server is absolutely necessary. CC ID 01502 | System hardening through configuration management | Configuration | |
| Disable Kudzu hardware detection unless Kudzu hardware detection is absolutely necessary. CC ID 01503 | System hardening through configuration management | Configuration | |
| Install and enable public Instant Messaging clients as necessary. CC ID 02173 | System hardening through configuration management | Configuration | |
| Disable x font server unless x font server is absolutely necessary. CC ID 01499 | System hardening through configuration management | Configuration | |
| Validate, approve, and document all UNIX shells prior to use. CC ID 02161 | System hardening through configuration management | Establish/Maintain Documentation | |
| Disable NFS client processes unless NFS client processes are absolutely necessary. CC ID 01475 | System hardening through configuration management | Configuration | |
| Disable the use of removable storage media for systems that process restricted data or restricted information, as necessary. CC ID 06681 | System hardening through configuration management | Data and Information Management | |
| Disable removable storage media daemon unless the removable storage media daemon is absolutely necessary. CC ID 01477 | System hardening through configuration management | Configuration | |
| Disable GSS daemon unless GSS daemon is absolutely necessary. CC ID 01465 | System hardening through configuration management | Configuration | |
| Disable Computer Browser unless Computer Browser is absolutely necessary. CC ID 01814 | System hardening through configuration management | Configuration | |
| Configure the Computer Browser ResetBrowser Frames as appropriate. CC ID 05984 | System hardening through configuration management | Configuration | |
| Configure the /etc/samba/smb.conf file file permissions as appropriate. CC ID 05989 | System hardening through configuration management | Configuration | |
| Disable NetMeeting remote desktop sharing unless NetMeeting remote desktop sharing is absolutely necessary. CC ID 01821 | System hardening through configuration management | Configuration | |
| Disable web directory browsing on all web-enabled devices. CC ID 01874 | System hardening through configuration management | Configuration | |
| Disable WWW publishing services unless WWW publishing services are absolutely necessary. CC ID 01833 | System hardening through configuration management | Configuration | |
| Install and enable samba, as necessary. CC ID 02175 | System hardening through configuration management | Configuration | |
| Configure the samba hosts allow option with an appropriate set of networks. CC ID 05985 | System hardening through configuration management | Configuration | |
| Configure the samba security option option as appropriate. CC ID 05986 | System hardening through configuration management | Configuration | |
| Configure the samba encrypt passwords option as appropriate. CC ID 05987 | System hardening through configuration management | Configuration | |
| Configure the Samba 'smb passwd file' option with an appropriate password file or no password file. CC ID 05988 | System hardening through configuration management | Configuration | |
| Disable Usenet Internet news package file capabilities unless Usenet Internet news package file capabilities are absolutely necessary. CC ID 02176 | System hardening through configuration management | Configuration | |
| Disable iPlanet Web Server unless iPlanet Web Server is absolutely necessary. CC ID 02172 | System hardening through configuration management | Configuration | |
| Disable volume manager unless volume manager is absolutely necessary. CC ID 01469 | System hardening through configuration management | Configuration | |
| Disable Solaris Management Console unless Solaris Management Console is absolutely necessary. CC ID 01468 | System hardening through configuration management | Configuration | |
| Disable the Graphical User Interface unless it is absolutely necessary. CC ID 01466 | System hardening through configuration management | Configuration | |
| Disable help and support unless help and support is absolutely necessary. CC ID 04280 | System hardening through configuration management | Configuration | |
| Disable speech recognition unless speech recognition is absolutely necessary. CC ID 04491 | System hardening through configuration management | Configuration | |
| Disable or secure the NetWare QuickFinder search engine. CC ID 04453 | System hardening through configuration management | Configuration | |
| Disable messenger unless messenger is absolutely necessary. CC ID 01819 | System hardening through configuration management | Configuration | |
| Configure the "Do not allow Windows Messenger to be run" setting. CC ID 04516 | System hardening through configuration management | Configuration | |
| Configure the "Do not automatically start Windows Messenger initially" setting. CC ID 04517 | System hardening through configuration management | Configuration | |
| Configure the "Turn off the Windows Messenger Customer Experience Improvement Program" setting. CC ID 04330 | System hardening through configuration management | Configuration | |
| Disable automatic updates unless automatic updates are absolutely necessary. CC ID 01811 | System hardening through configuration management | Configuration | |
| Configure automatic update installation and shutdown/restart options and shutdown/restart procedures to organizational standards. CC ID 05979 | System hardening through configuration management | Configuration | |
| Disable Name Service Cache Daemon unless Name Service Cache Daemon is absolutely necessary. CC ID 04846 | System hardening through configuration management | Configuration | |
| Prohibit R-command files from existing for root or administrator. CC ID 16322 | System hardening through configuration management | Configuration | |
| Verify the /bin/rsh file exists or not, as appropriate. CC ID 05101 | System hardening through configuration management | Configuration | |
| Verify the /sbin/rsh file exists or not, as appropriate. CC ID 05102 | System hardening through configuration management | Configuration | |
| Verify the /usr/bin/rsh file exists or not, as appropriate. CC ID 05103 | System hardening through configuration management | Configuration | |
| Verify the /etc/ftpusers file exists or not, as appropriate. CC ID 05104 | System hardening through configuration management | Configuration | |
| Verify the /etc/rsh file exists or not, as appropriate. CC ID 05105 | System hardening through configuration management | Configuration | |
| Install or uninstall the AIDE package, as appropriate. CC ID 05106 | System hardening through configuration management | Configuration | |
| Enable the GNOME automounter (gnome-volume-manager) as necessary. CC ID 05107 | System hardening through configuration management | Configuration | |
| Install or uninstall the setroubleshoot package, as appropriate. CC ID 05108 | System hardening through configuration management | Configuration | |
| Configure Avahi properly. CC ID 05109 | System hardening through configuration management | Configuration | |
| Install or uninstall OpenNTPD, as appropriate. CC ID 05110 | System hardening through configuration management | Configuration | |
| Configure the "httpd" service to organizational standards. CC ID 05111 | System hardening through configuration management | Configuration | |
| Install or uninstall the net-smtp package properly. CC ID 05112 | System hardening through configuration management | Configuration | |
| Configure the apache web service properly. CC ID 05113 | System hardening through configuration management | Configuration | |
| Configure the vlock package properly. CC ID 05114 | System hardening through configuration management | Configuration | |
| Establish, implement, and maintain service accounts. CC ID 13861 | System hardening through configuration management | Technical Security | |
| Manage access credentials for service accounts. CC ID 13862 | System hardening through configuration management | Technical Security | |
| Configure the daemon account properly. CC ID 05115 | System hardening through configuration management | Configuration | |
| Configure the bin account properly. CC ID 05116 | System hardening through configuration management | Configuration | |
| Configure the nuucp account properly. CC ID 05117 | System hardening through configuration management | Configuration | |
| Configure the smmsp account properly. CC ID 05118 | System hardening through configuration management | Configuration | |
| Configure the listen account properly. CC ID 05119 | System hardening through configuration management | Configuration | |
| Configure the gdm account properly. CC ID 05120 | System hardening through configuration management | Configuration | |
| Configure the webservd account properly. CC ID 05121 | System hardening through configuration management | Configuration | |
| Configure the nobody account properly. CC ID 05122 | System hardening through configuration management | Configuration | |
| Configure the noaccess account properly. CC ID 05123 | System hardening through configuration management | Configuration | |
| Configure the nobody4 account properly. CC ID 05124 | System hardening through configuration management | Configuration | |
| Configure the sys account properly. CC ID 05125 | System hardening through configuration management | Configuration | |
| Configure the adm account properly. CC ID 05126 | System hardening through configuration management | Configuration | |
| Configure the lp account properly. CC ID 05127 | System hardening through configuration management | Configuration | |
| Configure the uucp account properly. CC ID 05128 | System hardening through configuration management | Configuration | |
| Install or uninstall the tftp-server package, as appropriate. CC ID 05130 | System hardening through configuration management | Configuration | |
| Enable the web console as necessary. CC ID 05131 | System hardening through configuration management | Configuration | |
| Enable rlogin auth by Pluggable Authentication Modules or pam.d properly. CC ID 05132 | System hardening through configuration management | Configuration | |
| Enable rsh auth by Pluggable Authentication Modules properly. CC ID 05133 | System hardening through configuration management | Configuration | |
| Enable the listening sendmail daemon, as appropriate. CC ID 05134 | System hardening through configuration management | Configuration | |
| Configure Squid properly. CC ID 05135 | System hardening through configuration management | Configuration | |
| Configure the "global Package signature checking" setting to organizational standards. CC ID 08735 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "Package signature checking" setting for "all configured repositories" to organizational standards. CC ID 08736 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "verify against the package database" setting for "all installed software packages" to organizational standards. CC ID 08737 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "isdn4k-utils" package to organizational standards. CC ID 08738 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "postfix" package to organizational standards. CC ID 08739 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "vsftpd" package to organizational standards. CC ID 08740 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "net-snmpd" package to organizational standards. CC ID 08741 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "rsyslog" package to organizational standards. CC ID 08742 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "ipsec-tools" package to organizational standards. CC ID 08743 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "pam_ccreds" package to organizational standards. CC ID 08744 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "talk-server" package to organizational standards. CC ID 08745 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "talk" package to organizational standards. CC ID 08746 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "irda-utils" package to organizational standards. CC ID 08747 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "/etc/shells" file to organizational standards. CC ID 08978 | System hardening through configuration management | Configuration | |
| Configure the LDAP package to organizational standards. CC ID 09937 | System hardening through configuration management | Configuration | |
| Configure the "FTP server" package to organizational standards. CC ID 09938 | System hardening through configuration management | Configuration | |
| Configure the "HTTP Proxy Server" package to organizational standards. CC ID 09939 | System hardening through configuration management | Configuration | |
| Configure the "prelink" package to organizational standards. CC ID 11379 | System hardening through configuration management | Configuration | |
| Configure the Network Information Service (NIS) package to organizational standards. CC ID 11380 | System hardening through configuration management | Configuration | |
| Configure the "time" setting to organizational standards. CC ID 11381 | System hardening through configuration management | Configuration | |
| Configure the "biosdevname" package to organizational standards. CC ID 11383 | System hardening through configuration management | Configuration | |
| Configure the "ufw" setting to organizational standards. CC ID 11384 | System hardening through configuration management | Configuration | |
| Configure the "Devices: Allow undock without having to log on" setting. CC ID 01728 | System hardening through configuration management | Configuration | |
| Limit the user roles that are allowed to format and eject removable storage media. CC ID 01729 | System hardening through configuration management | Configuration | |
| Prevent users from installing printer drivers. CC ID 01730 | System hardening through configuration management | Configuration | |
| Minimize the inetd.conf file and set the file to the appropriate permissions. CC ID 01506 | System hardening through configuration management | Configuration | |
| Configure the unsigned driver installation behavior. CC ID 01733 | System hardening through configuration management | Configuration | |
| Configure the unsigned non-driver installation behavior. CC ID 02038 | System hardening through configuration management | Configuration | |
| Remove all demonstration applications on the system. CC ID 01875 | System hardening through configuration management | Configuration | |
| Configure the system to disallow optional Subsystems. CC ID 04265 | System hardening through configuration management | Configuration | |
| Configure the "Remove Security tab" setting. CC ID 04380 | System hardening through configuration management | Configuration | |
| Disable all unnecessary services unless otherwise noted in a policy exception. CC ID 00880 [Enable only necessary services, protocols, daemons, etc., as required for the function of the system. 2.2.2] | System hardening through configuration management | Configuration | |
| Disable rquotad unless rquotad is absolutely necessary. CC ID 01473 | System hardening through configuration management | Configuration | |
| Configure the rquotad service to use a static port or a dynamic portmapper port as appropriate. CC ID 05983 | System hardening through configuration management | Configuration | |
| Disable telnet unless telnet use is absolutely necessary. CC ID 01478 | System hardening through configuration management | Configuration | |
| Disable File Transfer Protocol unless File Transfer Protocol use is absolutely necessary. CC ID 01479 | System hardening through configuration management | Configuration | |
| Configure anonymous FTP to restrict the use of restricted data. CC ID 16314 | System hardening through configuration management | Configuration | |
| Disable anonymous access to File Transfer Protocol. CC ID 06739 | System hardening through configuration management | Configuration | |
| Disable Internet Message Access Protocol unless Internet Message Access Protocol use is absolutely necessary. CC ID 01485 | System hardening through configuration management | Configuration | |
| Disable Post Office Protocol unless its use is absolutely necessary. CC ID 01486 | System hardening through configuration management | Configuration | |
| Disable SQLServer processes unless SQLServer processes use is absolutely necessary. CC ID 01500 | System hardening through configuration management | Configuration | |
| Disable alerter unless alerter use is absolutely necessary. CC ID 01810 | System hardening through configuration management | Configuration | |
| Disable Background Intelligent Transfer Service unless Background Intelligent Transfer Service use is absolutely necessary. CC ID 01812 | System hardening through configuration management | Configuration | |
| Disable ClipBook unless ClipBook use is absolutely necessary. CC ID 01813 | System hardening through configuration management | Configuration | |
| Disable Fax Service unless Fax Service use is absolutely necessary. CC ID 01815 | System hardening through configuration management | Configuration | |
| Disable IIS admin service unless IIS admin service use is absolutely necessary. CC ID 01817 | System hardening through configuration management | Configuration | |
| Disable indexing service unless indexing service use is absolutely necessary. CC ID 01818 | System hardening through configuration management | Configuration | |
| Disable net logon unless net logon use is absolutely necessary. CC ID 01820 | System hardening through configuration management | Configuration | |
| Disable Remote Desktop Help Session Manager unless Remote Desktop Help Session Manager use is absolutely necessary. CC ID 01822 | System hardening through configuration management | Configuration | |
| Disable the "Offer Remote Assistance" setting. CC ID 04325 | System hardening through configuration management | Configuration | |
| Disable the "Solicited Remote Assistance" setting. CC ID 04326 | System hardening through configuration management | Configuration | |
| Disable Remote Registry Service unless Remote Registry Service use is absolutely necessary. CC ID 01823 | System hardening through configuration management | Configuration | |
| Disable Routing and Remote Access unless Routing and Remote Access use is necessary. CC ID 01824 | System hardening through configuration management | Configuration | |
| Disable task scheduler unless task scheduler use is absolutely necessary. CC ID 01829 | System hardening through configuration management | Configuration | |
| Disable Terminal Services unless Terminal Services use is absolutely necessary. CC ID 01831 | System hardening through configuration management | Configuration | |
| Disable Universal Plug and Play device host unless Universal Plug and Play device host use is absolutely necessary. CC ID 01832 | System hardening through configuration management | Configuration | |
| Disable File Service Protocol. CC ID 02167 | System hardening through configuration management | Configuration | |
| Disable the License Logging Service unless unless it is absolutely necessary. CC ID 04282 | System hardening through configuration management | Configuration | |
| Disable Remote Access Auto Connection Manager unless Remote Access Auto Connection Manager use is absolutely necessary. CC ID 04285 | System hardening through configuration management | Configuration | |
| Disable Remote Access Connection Manager unless Remote Access Connection Manager use is absolutely necessary. CC ID 04286 | System hardening through configuration management | Configuration | |
| Disable Remote Administration Service unless remote administration management is absolutely necessary. CC ID 04287 | System hardening through configuration management | Configuration | |
| Disable remote installation unless remote installation is absolutely necessary. CC ID 04288 | System hardening through configuration management | Configuration | |
| Disable Remote Server Manager unless Remote Server Manager is absolutely necessary. CC ID 04289 | System hardening through configuration management | Configuration | |
| Disable Remote Server Monitor unless Remote Server Monitor use is absolutely necessary. CC ID 04290 | System hardening through configuration management | Configuration | |
| Disable Remote Storage Notification unless Remote Storage Notification use is absolutely necessary. CC ID 04291 | System hardening through configuration management | Configuration | |
| Disable Remote Storage Server unless Remote Storage Server use is absolutely necessary. CC ID 04292 | System hardening through configuration management | Configuration | |
| Disable telephony services unless telephony services use is absolutely necessary. CC ID 04293 | System hardening through configuration management | Configuration | |
| Disable Wireless Zero Configuration service unless Wireless Zero Configuration service use is absolutely necessary. CC ID 04294 | System hardening through configuration management | Configuration | |
| Disable SSDP/UPnp unless SSDP/UPnP is absolutely necessary. CC ID 04315 | System hardening through configuration management | Configuration | |
| Configure the "ntpd service" setting to organizational standards. CC ID 04911 | System hardening through configuration management | Configuration | |
| Configure the "echo service" setting to organizational standards. CC ID 04912 | System hardening through configuration management | Configuration | |
| Configure the "echo-dgram service" setting to organizational standards. CC ID 09927 | System hardening through configuration management | Configuration | |
| Configure the "echo-stream service" setting to organizational standards. CC ID 09928 | System hardening through configuration management | Configuration | |
| Configure the "AllowTcpForwarding" to organizational standards. CC ID 15327 | System hardening through configuration management | Configuration | |
| Configure the "tcpmux-server" setting to organizational standards. CC ID 09929 | System hardening through configuration management | Configuration | |
| Configure the "netstat service" setting to organizational standards. CC ID 04913 | System hardening through configuration management | Configuration | |
| Configure the "character generator protocol (chargen)" setting to organizational standards. CC ID 04914 | System hardening through configuration management | Configuration | |
| Configure the "tftpd service" setting to organizational standards. CC ID 04915 | System hardening through configuration management | Configuration | |
| Configure the "walld service" setting to organizational standards. CC ID 04916 | System hardening through configuration management | Configuration | |
| Configure the "rstatd service" setting to organizational standards. CC ID 04917 | System hardening through configuration management | Configuration | |
| Configure the "sprayd service" setting to organizational standards. CC ID 04918 | System hardening through configuration management | Configuration | |
| Configure the "rusersd service" setting to organizational standards. CC ID 04919 | System hardening through configuration management | Configuration | |
| Configure the "inn service" setting to organizational standards. CC ID 04920 | System hardening through configuration management | Configuration | |
| Configure the "font service" setting to organizational standards. CC ID 04921 | System hardening through configuration management | Configuration | |
| Configure the "ident service" setting to organizational standards. CC ID 04922 | System hardening through configuration management | Configuration | |
| Configure the "rexd service" setting to organizational standards. CC ID 04923 | System hardening through configuration management | Configuration | |
| Configure the "daytime service" setting to organizational standards. CC ID 04924 | System hardening through configuration management | Configuration | |
| Configure the "dtspc (cde-spc) service" setting to organizational standards. CC ID 04925 | System hardening through configuration management | Configuration | |
| Configure the "cmsd service" setting to organizational standards. CC ID 04926 | System hardening through configuration management | Configuration | |
| Configure the "ToolTalk service" setting to organizational standards. CC ID 04927 | System hardening through configuration management | Configuration | |
| Configure the "discard service" setting to organizational standards. CC ID 04928 | System hardening through configuration management | Configuration | |
| Configure the "vino-server service" setting to organizational standards. CC ID 04929 | System hardening through configuration management | Configuration | |
| Configure the "bind service" setting to organizational standards. CC ID 04930 | System hardening through configuration management | Configuration | |
| Configure the "nfsd service" setting to organizational standards. CC ID 04931 | System hardening through configuration management | Configuration | |
| Configure the "mountd service" setting to organizational standards. CC ID 04932 | System hardening through configuration management | Configuration | |
| Configure the "statd service" setting to organizational standards. CC ID 04933 | System hardening through configuration management | Configuration | |
| Configure the "lockd service" setting to organizational standards. CC ID 04934 | System hardening through configuration management | Configuration | |
| Configure the lockd service to use a static port or a dynamic portmapper port for User Datagram Protocol as appropriate. CC ID 05980 | System hardening through configuration management | Configuration | |
| Configure the "decode sendmail alias" setting to organizational standards. CC ID 04935 | System hardening through configuration management | Configuration | |
| Configure the sendmail vrfy command, as appropriate. CC ID 04936 | System hardening through configuration management | Configuration | |
| Configure the sendmail expn command, as appropriate. CC ID 04937 | System hardening through configuration management | Configuration | |
| Configure .netrc with an appropriate set of services. CC ID 04938 | System hardening through configuration management | Configuration | |
| Enable NFS insecure locks as necessary. CC ID 04939 | System hardening through configuration management | Configuration | |
| Configure the "X server ac" setting to organizational standards. CC ID 04940 | System hardening through configuration management | Configuration | |
| Configure the "X server core" setting to organizational standards. CC ID 04941 | System hardening through configuration management | Configuration | |
| Enable or disable the setroubleshoot service, as appropriate. CC ID 05540 | System hardening through configuration management | Configuration | |
| Configure the "X server nolock" setting to organizational standards. CC ID 04942 | System hardening through configuration management | Configuration | |
| Enable or disable the mcstrans service, as appropriate. CC ID 05541 | System hardening through configuration management | Configuration | |
| Configure the "PAM console" setting to organizational standards. CC ID 04943 | System hardening through configuration management | Configuration | |
| Enable or disable the restorecond service, as appropriate. CC ID 05542 | System hardening through configuration management | Configuration | |
| Enable the rhnsd service as necessary. CC ID 04944 | System hardening through configuration management | Configuration | |
| Enable the yum-updatesd service as necessary. CC ID 04945 | System hardening through configuration management | Configuration | |
| Enable the autofs service as necessary. CC ID 04946 | System hardening through configuration management | Configuration | |
| Enable the ip6tables service as necessary. CC ID 04947 | System hardening through configuration management | Configuration | |
| Configure syslog to organizational standards. CC ID 04949 | System hardening through configuration management | Configuration | |
| Enable the auditd service as necessary. CC ID 04950 | System hardening through configuration management | Configuration | |
| Enable the logwatch service as necessary. CC ID 04951 | System hardening through configuration management | Configuration | |
| Enable the logrotate (syslog rotator) service as necessary. CC ID 04952 | System hardening through configuration management | Configuration | |
| Install or uninstall the telnet server package, only if absolutely necessary. CC ID 04953 | System hardening through configuration management | Configuration | |
| Enable the ypbind service as necessary. CC ID 04954 | System hardening through configuration management | Configuration | |
| Enable the ypserv service as necessary. CC ID 04955 | System hardening through configuration management | Configuration | |
| Enable the firstboot service as necessary. CC ID 04956 | System hardening through configuration management | Configuration | |
| Enable the gpm service as necessary. CC ID 04957 | System hardening through configuration management | Configuration | |
| Enable the irqbalance service as necessary. CC ID 04958 | System hardening through configuration management | Configuration | |
| Enable the isdn service as necessary. CC ID 04959 | System hardening through configuration management | Configuration | |
| Enable the kdump service as necessary. CC ID 04960 | System hardening through configuration management | Configuration | |
| Enable the mdmonitor service as necessary. CC ID 04961 | System hardening through configuration management | Configuration | |
| Enable the microcode_ctl service as necessary. CC ID 04962 | System hardening through configuration management | Configuration | |
| Enable the pcscd service as necessary. CC ID 04963 | System hardening through configuration management | Configuration | |
| Enable the smartd service as necessary. CC ID 04964 | System hardening through configuration management | Configuration | |
| Enable the readahead_early service as necessary. CC ID 04965 | System hardening through configuration management | Configuration | |
| Enable the readahead_later service as necessary. CC ID 04966 | System hardening through configuration management | Configuration | |
| Enable the messagebus service as necessary. CC ID 04967 | System hardening through configuration management | Configuration | |
| Enable the haldaemon service as necessary. CC ID 04968 | System hardening through configuration management | Configuration | |
| Enable the apmd service as necessary. CC ID 04969 | System hardening through configuration management | Configuration | |
| Enable the acpid service as necessary. CC ID 04970 | System hardening through configuration management | Configuration | |
| Enable the cpuspeed service as necessary. CC ID 04971 | System hardening through configuration management | Configuration | |
| Enable the network service as necessary. CC ID 04972 | System hardening through configuration management | Configuration | |
| Enable the hidd service as necessary. CC ID 04973 | System hardening through configuration management | Configuration | |
| Enable the crond service as necessary. CC ID 04974 | System hardening through configuration management | Configuration | |
| Install and enable the anacron service as necessary. CC ID 04975 | System hardening through configuration management | Configuration | |
| Enable the xfs service as necessary. CC ID 04976 | System hardening through configuration management | Configuration | |
| Install and enable the Avahi daemon service, as necessary. CC ID 04977 | System hardening through configuration management | Configuration | |
| Enable the CUPS service, as necessary. CC ID 04978 | System hardening through configuration management | Configuration | |
| Enable the hplip service as necessary. CC ID 04979 | System hardening through configuration management | Configuration | |
| Enable the dhcpd service as necessary. CC ID 04980 | System hardening through configuration management | Configuration | |
| Enable the nfslock service as necessary. CC ID 04981 | System hardening through configuration management | Configuration | |
| Enable the rpcgssd service as necessary. CC ID 04982 | System hardening through configuration management | Configuration | |
| Enable the rpcidmapd service as necessary. CC ID 04983 | System hardening through configuration management | Configuration | |
| Enable the rpcsvcgssd service as necessary. CC ID 04985 | System hardening through configuration management | Configuration | |
| Configure root squashing for all NFS shares, as appropriate. CC ID 04986 | System hardening through configuration management | Configuration | |
| Configure write access to NFS shares, as appropriate. CC ID 04987 | System hardening through configuration management | Configuration | |
| Configure the named service, as appropriate. CC ID 04988 | System hardening through configuration management | Configuration | |
| Configure the vsftpd service, as appropriate. CC ID 04989 | System hardening through configuration management | Configuration | |
| Configure the “dovecot” service to organizational standards. CC ID 04990 | System hardening through configuration management | Configuration | |
| Configure Server Message Block (SMB) to organizational standards. CC ID 04991 | System hardening through configuration management | Configuration | |
| Enable the snmpd service as necessary. CC ID 04992 | System hardening through configuration management | Configuration | |
| Enable the calendar manager as necessary. CC ID 04993 | System hardening through configuration management | Configuration | |
| Enable the GNOME logon service as necessary. CC ID 04994 | System hardening through configuration management | Configuration | |
| Enable the WBEM services as necessary. CC ID 04995 | System hardening through configuration management | Configuration | |
| Enable the keyserv service as necessary. CC ID 04996 | System hardening through configuration management | Configuration | |
| Enable the Generic Security Service daemon as necessary. CC ID 04997 | System hardening through configuration management | Configuration | |
| Enable the volfs service as necessary. CC ID 04998 | System hardening through configuration management | Configuration | |
| Enable the smserver service as necessary. CC ID 04999 | System hardening through configuration management | Configuration | |
| Enable the mpxio-upgrade service as necessary. CC ID 05000 | System hardening through configuration management | Configuration | |
| Enable the metainit service as necessary. CC ID 05001 | System hardening through configuration management | Configuration | |
| Enable the meta service as necessary. CC ID 05003 | System hardening through configuration management | Configuration | |
| Enable the metaed service as necessary. CC ID 05004 | System hardening through configuration management | Configuration | |
| Enable the metamh service as necessary. CC ID 05005 | System hardening through configuration management | Configuration | |
| Enable the Local RPC Port Mapping Service as necessary. CC ID 05006 | System hardening through configuration management | Configuration | |
| Enable the Kerberos kadmind service as necessary. CC ID 05007 | System hardening through configuration management | Configuration | |
| Enable the Kerberos krb5kdc service as necessary. CC ID 05008 | System hardening through configuration management | Configuration | |
| Enable the Kerberos kpropd service as necessary. CC ID 05009 | System hardening through configuration management | Configuration | |
| Enable the Kerberos ktkt_warnd service as necessary. CC ID 05010 | System hardening through configuration management | Configuration | |
| Enable the sadmin service as necessary. CC ID 05011 | System hardening through configuration management | Configuration | |
| Enable the IPP listener as necessary. CC ID 05012 | System hardening through configuration management | Configuration | |
| Enable the serial port listener as necessary. CC ID 05013 | System hardening through configuration management | Configuration | |
| Enable the Smart Card Helper service as necessary. CC ID 05014 | System hardening through configuration management | Configuration | |
| Enable the Application Management service as necessary. CC ID 05015 | System hardening through configuration management | Configuration | |
| Enable the Resultant Set of Policy (RSoP) Provider service as necessary. CC ID 05016 | System hardening through configuration management | Configuration | |
| Enable the Network News Transport Protocol service as necessary. CC ID 05017 | System hardening through configuration management | Configuration | |
| Enable the network Dynamic Data Exchange service as necessary. CC ID 05018 | System hardening through configuration management | Configuration | |
| Enable the Distributed Link Tracking Server service as necessary. CC ID 05019 | System hardening through configuration management | Configuration | |
| Enable the RARP service as necessary. CC ID 05020 | System hardening through configuration management | Configuration | |
| Configure the ".NET Framework service" setting to organizational standards. CC ID 05021 | System hardening through configuration management | Configuration | |
| Enable the Network DDE Share Database Manager service as necessary. CC ID 05022 | System hardening through configuration management | Configuration | |
| Enable the Certificate Services service as necessary. CC ID 05023 | System hardening through configuration management | Configuration | |
| Configure the ATI hotkey poller service properly. CC ID 05024 | System hardening through configuration management | Configuration | |
| Configure the Interix Subsystem Startup service properly. CC ID 05025 | System hardening through configuration management | Configuration | |
| Configure the Cluster Service service properly. CC ID 05026 | System hardening through configuration management | Configuration | |
| Configure the IAS Jet Database Access service properly. CC ID 05027 | System hardening through configuration management | Configuration | |
| Configure the IAS service properly. CC ID 05028 | System hardening through configuration management | Configuration | |
| Configure the IP Version 6 Helper service properly. CC ID 05029 | System hardening through configuration management | Configuration | |
| Configure "Message Queuing service" to organizational standards. CC ID 05030 | System hardening through configuration management | Configuration | |
| Configure the Message Queuing Down Level Clients service properly. CC ID 05031 | System hardening through configuration management | Configuration | |
| Configure the Windows Management Instrumentation Driver Extensions service properly. CC ID 05033 | System hardening through configuration management | Configuration | |
| Configure the TCP/IP NetBIOS Helper Service properly. CC ID 05034 | System hardening through configuration management | Configuration | |
| Configure the Utility Manager service properly. CC ID 05035 | System hardening through configuration management | Configuration | |
| Configure the secondary logon service properly. CC ID 05036 | System hardening through configuration management | Configuration | |
| Configure the Windows Management Instrumentation service properly. CC ID 05037 | System hardening through configuration management | Configuration | |
| Configure the Workstation service properly. CC ID 05038 | System hardening through configuration management | Configuration | |
| Configure the Windows Installer service properly. CC ID 05039 | System hardening through configuration management | Configuration | |
| Configure the Windows System Resource Manager service properly. CC ID 05040 | System hardening through configuration management | Configuration | |
| Configure the WinHTTP Web Proxy Auto-Discovery Service properly. CC ID 05041 | System hardening through configuration management | Configuration | |
| Configure the Services for Unix Client for NFS service properly. CC ID 05042 | System hardening through configuration management | Configuration | |
| Configure the Services for Unix Server for PCNFS service properly. CC ID 05043 | System hardening through configuration management | Configuration | |
| Configure the Services for Unix Perl Socket service properly. CC ID 05044 | System hardening through configuration management | Configuration | |
| Configure the Services for Unix User Name Mapping service properly. CC ID 05045 | System hardening through configuration management | Configuration | |
| Configure the Services for Unix Windows Cron service properly. CC ID 05046 | System hardening through configuration management | Configuration | |
| Configure the Windows Media Services service properly. CC ID 05047 | System hardening through configuration management | Configuration | |
| Configure the Services for Netware Service Advertising Protocol (SAP) Agent properly. CC ID 05048 | System hardening through configuration management | Configuration | |
| Configure the Web Element Manager service properly. CC ID 05049 | System hardening through configuration management | Configuration | |
| Configure the Remote Installation Services Single Instance Storage (SIS) Groveler service properly. CC ID 05050 | System hardening through configuration management | Configuration | |
| Configure the Terminal Services Licensing service properly. CC ID 05051 | System hardening through configuration management | Configuration | |
| Configure the COM+ Event System service properly. CC ID 05052 | System hardening through configuration management | Configuration | |
| Configure the Event Log service properly. CC ID 05053 | System hardening through configuration management | Configuration | |
| Configure the Infrared Monitor service properly. CC ID 05054 | System hardening through configuration management | Configuration | |
| Configure the Services for Unix Server for NFS service properly. CC ID 05055 | System hardening through configuration management | Configuration | |
| Configure the System Event Notification Service properly. CC ID 05056 | System hardening through configuration management | Configuration | |
| Configure the NTLM Security Support Provider service properly. CC ID 05057 | System hardening through configuration management | Configuration | |
| Configure the Performance Logs and Alerts service properly. CC ID 05058 | System hardening through configuration management | Configuration | |
| Configure the Protected Storage service properly. CC ID 05059 | System hardening through configuration management | Configuration | |
| Configure the QoS Admission Control (RSVP) service properly. CC ID 05060 | System hardening through configuration management | Configuration | |
| Configure the Remote Procedure Call service properly. CC ID 05061 | System hardening through configuration management | Configuration | |
| Configure the Removable Storage service properly. CC ID 05062 | System hardening through configuration management | Configuration | |
| Configure the Server service properly. CC ID 05063 | System hardening through configuration management | Configuration | |
| Configure the Security Accounts Manager service properly. CC ID 05064 | System hardening through configuration management | Configuration | |
| Configure the “Network Connections” service to organizational standards. CC ID 05065 | System hardening through configuration management | Configuration | |
| Configure the Logical Disk Manager service properly. CC ID 05066 | System hardening through configuration management | Configuration | |
| Configure the Logical Disk Manager Administrative Service properly. CC ID 05067 | System hardening through configuration management | Configuration | |
| Configure the File Replication service properly. CC ID 05068 | System hardening through configuration management | Configuration | |
| Configure the Kerberos Key Distribution Center service properly. CC ID 05069 | System hardening through configuration management | Configuration | |
| Configure the Intersite Messaging service properly. CC ID 05070 | System hardening through configuration management | Configuration | |
| Configure the Remote Procedure Call locator service properly. CC ID 05071 | System hardening through configuration management | Configuration | |
| Configure the Distributed File System service properly. CC ID 05072 | System hardening through configuration management | Configuration | |
| Configure the Windows Internet Name Service service properly. CC ID 05073 | System hardening through configuration management | Configuration | |
| Configure the FTP Publishing Service properly. CC ID 05074 | System hardening through configuration management | Configuration | |
| Configure the Windows Search service properly. CC ID 05075 | System hardening through configuration management | Configuration | |
| Configure the Microsoft Peer-to-Peer Networking Services service properly. CC ID 05076 | System hardening through configuration management | Configuration | |
| Configure the Remote Shell service properly. CC ID 05077 | System hardening through configuration management | Configuration | |
| Configure Simple TCP/IP services to organizational standards. CC ID 05078 | System hardening through configuration management | Configuration | |
| Configure the Print Services for Unix service properly. CC ID 05079 | System hardening through configuration management | Configuration | |
| Configure the File Shares service to organizational standards. CC ID 05080 | System hardening through configuration management | Configuration | |
| Configure the NetMeeting service properly. CC ID 05081 | System hardening through configuration management | Configuration | |
| Configure the Application Layer Gateway service properly. CC ID 05082 | System hardening through configuration management | Configuration | |
| Configure the Cryptographic Services service properly. CC ID 05083 | System hardening through configuration management | Configuration | |
| Configure the Help and Support Service properly. CC ID 05084 | System hardening through configuration management | Configuration | |
| Configure the Human Interface Device Access service properly. CC ID 05085 | System hardening through configuration management | Configuration | |
| Configure the IMAPI CD-Burning COM service properly. CC ID 05086 | System hardening through configuration management | Configuration | |
| Configure the MS Software Shadow Copy Provider service properly. CC ID 05087 | System hardening through configuration management | Configuration | |
| Configure the Network Location Awareness service properly. CC ID 05088 | System hardening through configuration management | Configuration | |
| Configure the Portable Media Serial Number Service service properly. CC ID 05089 | System hardening through configuration management | Configuration | |
| Configure the System Restore Service service properly. CC ID 05090 | System hardening through configuration management | Configuration | |
| Configure the Themes service properly. CC ID 05091 | System hardening through configuration management | Configuration | |
| Configure the Uninterruptible Power Supply service properly. CC ID 05092 | System hardening through configuration management | Configuration | |
| Configure the Upload Manager service properly. CC ID 05093 | System hardening through configuration management | Configuration | |
| Configure the Volume Shadow Copy Service properly. CC ID 05094 | System hardening through configuration management | Configuration | |
| Configure the WebClient service properly. CC ID 05095 | System hardening through configuration management | Configuration | |
| Configure the Windows Audio service properly. CC ID 05096 | System hardening through configuration management | Configuration | |
| Configure the Windows Image Acquisition service properly. CC ID 05097 | System hardening through configuration management | Configuration | |
| Configure the WMI Performance Adapter service properly. CC ID 05098 | System hardening through configuration management | Configuration | |
| Enable file uploads via vsftpd service, as appropriate. CC ID 05100 | System hardening through configuration management | Configuration | |
| Disable or remove sadmind unless use of sadmind is absolutely necessary. CC ID 06885 | System hardening through configuration management | Configuration | |
| Configure the "SNMP version 1" setting to organizational standards. CC ID 08976 | System hardening through configuration management | Configuration | |
| Configure the "xdmcp service" setting to organizational standards. CC ID 08985 | System hardening through configuration management | Configuration | |
| Disable the automatic display of remote images in HTML-formatted e-mail. CC ID 04494 | System hardening through configuration management | Configuration | |
| Disable Remote Apply Events unless Remote Apply Events are absolutely necessary. CC ID 04495 | System hardening through configuration management | Configuration | |
| Disable Xgrid unless Xgrid is absolutely necessary. CC ID 04496 | System hardening through configuration management | Configuration | |
| Configure the "Do Not Show First Use Dialog Boxes" setting for Windows Media Player properly. CC ID 05136 | System hardening through configuration management | Configuration | |
| Disable Core dumps unless absolutely necessary. CC ID 01507 | System hardening through configuration management | Configuration | |
| Set hard core dump size limits, as appropriate. CC ID 05990 | System hardening through configuration management | Configuration | |
| Configure the "Prevent Desktop Shortcut Creation" setting for Windows Media Player properly. CC ID 05137 | System hardening through configuration management | Configuration | |
| Set the Squid EUID and Squid GUID to an appropriate user and group. CC ID 05138 | System hardening through configuration management | Configuration | |
| Verify groups referenced in /etc/passwd are included in /etc/group, as appropriate. CC ID 05139 | System hardening through configuration management | Configuration | |
| Use of the cron.allow file should be enabled or disabled as appropriate. CC ID 06014 | System hardening through configuration management | Configuration | |
| Use of the at.allow file should be enabled or disabled as appropriate. CC ID 06015 | System hardening through configuration management | Configuration | |
| Enable or disable the Dynamic DNS feature of the DHCP Server as appropriate. CC ID 06039 | System hardening through configuration management | Configuration | |
| Enable or disable each user's Screen saver software, as necessary. CC ID 06050 | System hardening through configuration management | Configuration | |
| Disable any unnecessary scripting languages, as necessary. CC ID 12137 | System hardening through configuration management | Configuration | |
| Establish, implement, and maintain authenticators. CC ID 15305 | System hardening through configuration management | Technical Security | |
| Establish, implement, and maintain an authenticator standard. CC ID 01702 | System hardening through configuration management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an authenticator management system. CC ID 12031 | System hardening through configuration management | Establish/Maintain Documentation | |
| Establish, implement, and maintain authenticator procedures. CC ID 12002 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure authenticators to comply with organizational standards. CC ID 06412 | System hardening through configuration management | Configuration | |
| Configure the system to require new users to change their authenticator on first use. CC ID 05268 [{passphrase} Set passwords/phrases for first-time use and upon reset to a unique value for each user, and change immediately after the first use. 8.2.6] | System hardening through configuration management | Configuration | |
| Configure authenticators so that group authenticators or shared authenticators are prohibited. CC ID 00519 [Do not use group, shared, or generic IDs, passwords, or other authentication methods as follows: - Generic user IDs are disabled or removed. - Shared user IDs do not exist for system administration and other critical functions. - Shared and generic user IDs are not used to administer any system components. 8.5 Do not use group, shared, or generic IDs, passwords, or other authentication methods as follows: - Generic user IDs are disabled or removed. - Shared user IDs do not exist for system administration and other critical functions. - Shared and generic user IDs are not used to administer any system components. 8.5] | System hardening through configuration management | Configuration | |
| Change all default authenticators. CC ID 15309 [Do not use vendor-supplied defaults for system passwords and other security parameters. Requirement 2 For wireless environments connected to the cardholder data environment or transmitting cardholder data, change ALL wireless vendor defaults at installation, including but not limited to default wireless encryption keys, passwords, and SNMP community strings. 2.1.1] | System hardening through configuration management | Configuration | |
| Configure the system security parameters to prevent system misuse or information misappropriation. CC ID 00881 [Configure system security parameters to prevent misuse. 2.2.4] | System hardening through configuration management | Configuration | |
| Configure Hypertext Transfer Protocol headers in accordance with organizational standards. CC ID 16851 | System hardening through configuration management | Configuration | |
| Configure Hypertext Transfer Protocol security headers in accordance with organizational standards. CC ID 16488 | System hardening through configuration management | Configuration | |
| Configure "Enable Structured Exception Handling Overwrite Protection (SEHOP)" to organizational standards. CC ID 15385 | System hardening through configuration management | Configuration | |
| Configure Microsoft Attack Surface Reduction rules in accordance with organizational standards. CC ID 16478 | System hardening through configuration management | Configuration | |
| Configure "Remote host allows delegation of non-exportable credentials" to organizational standards. CC ID 15379 | System hardening through configuration management | Configuration | |
| Configure "Configure enhanced anti-spoofing" to organizational standards. CC ID 15376 | System hardening through configuration management | Configuration | |
| Configure "Block user from showing account details on sign-in" to organizational standards. CC ID 15374 | System hardening through configuration management | Configuration | |
| Configure "Configure Attack Surface Reduction rules" to organizational standards. CC ID 15370 | System hardening through configuration management | Configuration | |
| Configure "Turn on e-mail scanning" to organizational standards. CC ID 15361 | System hardening through configuration management | Configuration | |
| Configure "Prevent users and apps from accessing dangerous websites" to organizational standards. CC ID 15359 | System hardening through configuration management | Configuration | |
| Configure "Enumeration policy for external devices incompatible with Kernel DMA Protection" to organizational standards. CC ID 15352 | System hardening through configuration management | Configuration | |
| Configure "Prevent Internet Explorer security prompt for Windows Installer scripts" to organizational standards. CC ID 15351 | System hardening through configuration management | Configuration | |
| Store state information from applications and software separately. CC ID 14767 | System hardening through configuration management | Configuration | |
| Configure the "aufs storage" to organizational standards. CC ID 14461 | System hardening through configuration management | Configuration | |
| Configure the "AppArmor Profile" to organizational standards. CC ID 14496 | System hardening through configuration management | Configuration | |
| Configure the "device" argument to organizational standards. CC ID 14536 | System hardening through configuration management | Configuration | |
| Configure the "Docker" group ownership to organizational standards. CC ID 14495 | System hardening through configuration management | Configuration | |
| Configure the "Docker" user ownership to organizational standards. CC ID 14505 | System hardening through configuration management | Configuration | |
| Configure "Allow upload of User Activities" to organizational standards. CC ID 15338 | System hardening through configuration management | Configuration | |
| Configure the system to restrict Core dumps to a protected directory. CC ID 01513 | System hardening through configuration management | Configuration | |
| Configure the system to enable Stack protection. CC ID 01514 | System hardening through configuration management | Configuration | |
| Configure the system to restrict NFS client requests to privileged ports. CC ID 01515 | System hardening through configuration management | Configuration | |
| Configure the system to use better TCP Sequence Numbers. CC ID 01516 | System hardening through configuration management | Configuration | |
| Configure the system to a default secure level. CC ID 01519 | System hardening through configuration management | Configuration | |
| Configure the system to block users from viewing un-owned processes. CC ID 01520 | System hardening through configuration management | Configuration | |
| Configure the system to block users from viewing processes in other groups. CC ID 01521 | System hardening through configuration management | Configuration | |
| Add the "nosuid" option to /etc/rmmount.conf. CC ID 01532 | System hardening through configuration management | Configuration | |
| Configure the system to block non-privileged mountd requests. CC ID 01533 | System hardening through configuration management | Configuration | |
| Use host-based or Internet Protocol-based export lists for mountd. CC ID 06887 | System hardening through configuration management | Configuration | |
| Add the "nodev" option to the appropriate partitions in /etc/fstab. CC ID 01534 | System hardening through configuration management | Configuration | |
| Add the "nosuid" option and "nodev" option for removable storage media in the /etc/fstab file. CC ID 01535 | System hardening through configuration management | Configuration | |
| Configure the sticky bit on world-writable directories. CC ID 01540 | System hardening through configuration management | Configuration | |
| Verify system files are not world-writable. CC ID 01546 | System hardening through configuration management | Technical Security | |
| Verify backup directories containing patches are not accessible. CC ID 01547 | System hardening through configuration management | Technical Security | |
| Run hp_checkperms. CC ID 01548 | System hardening through configuration management | Configuration | |
| Run fix-modes. CC ID 01549 | System hardening through configuration management | Configuration | |
| Convert the system to "Trusted Mode", if possible. CC ID 01550 | System hardening through configuration management | Configuration | |
| Configure the sadmind service to a higher Security level. CC ID 01551 | System hardening through configuration management | Configuration | |
| Use host-based or Internet Protocol-based export lists for sadmind. CC ID 06886 | System hardening through configuration management | Configuration | |
| Configure all.rhosts files to be readable only by their owners. CC ID 01557 | System hardening through configuration management | Configuration | |
| Set the symlink /etc/hosts.equiv file to /dev/null. CC ID 01558 | System hardening through configuration management | Configuration | |
| Configure the default locking Screen saver timeout to a predetermined time period. CC ID 01570 | System hardening through configuration management | Configuration | |
| Configure the Security Center (Domain PCs only). CC ID 01967 | System hardening through configuration management | Configuration | |
| Configure the system to immediately protect the computer after the Screen saver is activated by setting the time before the Screen saver grace period expires to a predefined amount. CC ID 04276 | System hardening through configuration management | Configuration | |
| Configure the system to require a password before it unlocks the Screen saver software. CC ID 04443 | System hardening through configuration management | Configuration | |
| Enable the safe DLL search mode. CC ID 04273 | System hardening through configuration management | Configuration | |
| Configure the computer to stop generating 8.3 filename formats. CC ID 04274 | System hardening through configuration management | Configuration | |
| Configure the system to use certificate rules for software restriction policies. CC ID 04266 | System hardening through configuration management | Configuration | |
| Configure the "Do not allow drive redirection" setting. CC ID 04316 | System hardening through configuration management | Configuration | |
| Configure the "Turn off the 'Publish to Web' task for files and folders" setting. CC ID 04328 | System hardening through configuration management | Configuration | |
| Configure the "Turn off Internet download for Web publishing and online ordering wizards" setting. CC ID 04329 | System hardening through configuration management | Configuration | |
| Configure the "Turn off Search Companion content file updates" setting. CC ID 04331 | System hardening through configuration management | Configuration | |
| Configure the "Turn off printing over HTTP" setting. CC ID 04332 | System hardening through configuration management | Configuration | |
| Configure the "Turn off downloading of print drivers over HTTP" setting. CC ID 04333 | System hardening through configuration management | Configuration | |
| Configure the "Turn off Windows Update device driver searching" setting. CC ID 04334 | System hardening through configuration management | Configuration | |
| Configure the "Display Error Notification" setting to organizational standards. CC ID 04335 | System hardening through configuration management | Configuration | |
| Configure the "Turn off Windows error reporting" setting to organizational standards. CC ID 04336 | System hardening through configuration management | Configuration | |
| Configure the "Disable software update shell notifications on program launch" setting. CC ID 04339 | System hardening through configuration management | Configuration | |
| Configure the "Make proxy settings per-machine (rather than per-user)" setting. CC ID 04341 | System hardening through configuration management | Configuration | |
| Configure the "Security Zones: Do not allow users to add/delete sites" setting. CC ID 04342 | System hardening through configuration management | Configuration | |
| Configure the "Security Zones: Do not allow users to change policies" setting. CC ID 04343 | System hardening through configuration management | Configuration | |
| Configure the "Security Zones: Use only machine settings" setting. CC ID 04344 | System hardening through configuration management | Configuration | |
| Configure the "Allow software to run or install even if the signature is invalid" setting. CC ID 04346 | System hardening through configuration management | Configuration | |
| Configure the "internet explorer processes (scripted window security restrictions)" setting. CC ID 04350 | System hardening through configuration management | Configuration | |
| Configure the "internet explorer processes (zone elevation protection)" setting. CC ID 04351 | System hardening through configuration management | Configuration | |
| Configure the "Prevent access to registry editing tools" setting. CC ID 04355 | System hardening through configuration management | Configuration | |
| Configure the "Do not preserve zone information in file attachments" setting. CC ID 04357 | System hardening through configuration management | Configuration | |
| Configure the "Hide mechanisms to remove zone information" setting. CC ID 04358 | System hardening through configuration management | Configuration | |
| Configure the "Notify antivirus programs when opening attachments" setting. CC ID 04359 | System hardening through configuration management | Configuration | |
| Configure the "Configure Outlook Express" setting. CC ID 04360 | System hardening through configuration management | Configuration | |
| Configure the "Disable Changing Automatic Configuration settings" setting. CC ID 04361 | System hardening through configuration management | Configuration | |
| Configure the "Disable changing certificate settings" setting. CC ID 04362 | System hardening through configuration management | Configuration | |
| Configure the "Disable changing connection settings" setting. CC ID 04363 | System hardening through configuration management | Configuration | |
| Configure the "Disable changing proxy settings" setting. CC ID 04364 | System hardening through configuration management | Configuration | |
| Configure the "Turn on the auto-complete feature for user names and passwords on forms" setting. CC ID 04365 | System hardening through configuration management | Configuration | |
| Configure the NetWare bindery contexts. CC ID 04444 | System hardening through configuration management | Configuration | |
| Configure the NetWare console's SECURE.NCF settings. CC ID 04445 | System hardening through configuration management | Configuration | |
| Configure the CPU Hog Timeout setting. CC ID 04446 | System hardening through configuration management | Configuration | |
| Configure the "Check Equivalent to Me" setting. CC ID 04463 | System hardening through configuration management | Configuration | |
| Configure the /etc/sshd_config file. CC ID 04475 | System hardening through configuration management | Configuration | |
| Configure the .Mac preferences. CC ID 04484 | System hardening through configuration management | Configuration | |
| Configure the Fast User Switching setting. CC ID 04485 | System hardening through configuration management | Configuration | |
| Configure the Recent Items List (servers, applications, documents) setting. CC ID 04486 | System hardening through configuration management | Configuration | |
| Configure Apple's Dock preferences. CC ID 04487 | System hardening through configuration management | Configuration | |
| Configure the "ulimit" to organizational standards. CC ID 14499 | System hardening through configuration management | Configuration | |
| Configure the Energy Saver preferences. CC ID 04488 | System hardening through configuration management | Configuration | |
| Configure the local system search preferences to directories that do not contain restricted data or restricted information. CC ID 04492 | System hardening through configuration management | Configuration | |
| Digitally sign and encrypt e-mail, as necessary. CC ID 04493 | System hardening through configuration management | Technical Security | |
| Manage temporary files, as necessary. CC ID 04847 | System hardening through configuration management | Technical Security | |
| Configure the computer-wide, rather than per-user, use of Microsoft Spynet Reporting for Windows Defender properly. CC ID 05282 | System hardening through configuration management | Configuration | |
| Enable or disable the ability of users to perform interactive startups, as appropriate. CC ID 05283 | System hardening through configuration management | Configuration | |
| Set the /etc/passwd file's NIS file inclusions properly. CC ID 05284 | System hardening through configuration management | Configuration | |
| Configure the "Turn off Help Ratings" setting. CC ID 05285 | System hardening through configuration management | Configuration | |
| Configure the "Decoy Admin Account Not Disabled" policy properly. CC ID 05286 | System hardening through configuration management | Configuration | |
| Configure the "Additional restrictions for anonymous connections" policy properly. CC ID 05287 | System hardening through configuration management | Configuration | |
| Configure the "Anonymous access to the registry" policy properly. CC ID 05288 | System hardening through configuration management | Configuration | |
| Configure the File System Checker and Popups setting. CC ID 05289 | System hardening through configuration management | Configuration | |
| Configure the System File Checker setting. CC ID 05290 | System hardening through configuration management | Configuration | |
| Configure the System File Checker Progress Meter setting. CC ID 05291 | System hardening through configuration management | Configuration | |
| Configure the Protect Kernel object attributes properly. CC ID 05292 | System hardening through configuration management | Configuration | |
| Configure the "Deleted Cached Copies of Roaming Profiles" policy properly. CC ID 05293 | System hardening through configuration management | Configuration | |
| Verify that the X*.hosts file lists all authorized X-clients. CC ID 05294 | System hardening through configuration management | Configuration | |
| Verify all files are owned by an existing account and group. CC ID 05295 | System hardening through configuration management | Configuration | |
| Verify programs executed through the aliases file are owned by an appropriate user or group. CC ID 05296 | System hardening through configuration management | Configuration | |
| Verify programs executed through the aliases file are stored in a directory with an appropriate owner. CC ID 05297 | System hardening through configuration management | Configuration | |
| Verify the at directory is owned by an appropriate user or group. CC ID 05298 | System hardening through configuration management | Configuration | |
| Verify the at.allow file is owned by an appropriate user or group. CC ID 05299 | System hardening through configuration management | Configuration | |
| Verify the at.deny file is owned by an appropriate user or group. CC ID 05300 | System hardening through configuration management | Configuration | |
| Verify the crontab directories are owned by an appropriate user or group. CC ID 05302 | System hardening through configuration management | Configuration | |
| Verify the cron.allow file is owned by an appropriate user or group. CC ID 05303 | System hardening through configuration management | Configuration | |
| Verify the cron.deny file is owned by an appropriate user or group. CC ID 05304 | System hardening through configuration management | Configuration | |
| Verify crontab files are owned by an appropriate user or group. CC ID 05305 | System hardening through configuration management | Configuration | |
| Verify the /etc/resolv.conf file is owned by an appropriate user or group. CC ID 05306 | System hardening through configuration management | Configuration | |
| Verify the /etc/named.boot file is owned by an appropriate user or group. CC ID 05307 | System hardening through configuration management | Configuration | |
| Verify the /etc/named.conf file is owned by an appropriate user or group. CC ID 05308 | System hardening through configuration management | Configuration | |
| Verify the /var/named/chroot/etc/named.conf file is owned by an appropriate user or group. CC ID 05309 | System hardening through configuration management | Configuration | |
| Verify home directories are owned by an appropriate user or group. CC ID 05310 | System hardening through configuration management | Configuration | |
| Verify the inetd.conf file is owned by an appropriate user or group. CC ID 05311 | System hardening through configuration management | Configuration | |
| Verify /etc/exports are owned by an appropriate user or group. CC ID 05312 | System hardening through configuration management | Configuration | |
| Verify exported files and exported directories are owned by an appropriate user or group. CC ID 05313 | System hardening through configuration management | Configuration | |
| Restrict the exporting of files and directories, as necessary. CC ID 16315 | System hardening through configuration management | Technical Security | |
| Verify the /etc/services file is owned by an appropriate user or group. CC ID 05314 | System hardening through configuration management | Configuration | |
| Verify the /etc/notrouter file is owned by an appropriate user or group. CC ID 05315 | System hardening through configuration management | Configuration | |
| Verify the /etc/samba/smb.conf file is owned by an appropriate user or group. CC ID 05316 | System hardening through configuration management | Configuration | |
| Verify the smbpasswd file and smbpasswd executable are owned by an appropriate user or group. CC ID 05317 | System hardening through configuration management | Configuration | |
| Verify the aliases file is owned by an appropriate user or group. CC ID 05318 | System hardening through configuration management | Configuration | |
| Verify the log file configured to capture critical sendmail messages is owned by an appropriate user or group. CC ID 05319 | System hardening through configuration management | Log Management | |
| Verify Shell files are owned by an appropriate user or group. CC ID 05320 | System hardening through configuration management | Configuration | |
| Verify the snmpd.conf file is owned by an appropriate user or group. CC ID 05321 | System hardening through configuration management | Configuration | |
| Verify the /etc/syslog.conf file is owned by an appropriate user or group. CC ID 05322 | System hardening through configuration management | Configuration | |
| Verify the traceroute executable is owned by an appropriate user or group. CC ID 05323 | System hardening through configuration management | Configuration | |
| Verify the /usr/lib/sendmail file is owned by an appropriate user or group. CC ID 05324 | System hardening through configuration management | Technical Security | |
| Verify the /etc/passwd file is owned by an appropriate user or group. CC ID 05325 | System hardening through configuration management | Configuration | |
| Verify the /etc/shadow file is owned by an appropriate user or group. CC ID 05326 | System hardening through configuration management | Configuration | |
| Verify the /etc/security/audit/config file is owned by an appropriate user or group. CC ID 05327 | System hardening through configuration management | Configuration | |
| Verify the /etc/securit/audit/events file is owned by an appropriate user or group. CC ID 05328 | System hardening through configuration management | Configuration | |
| Verify the /etc/security/audit/objects file is owned by an appropriate user or group. CC ID 05329 | System hardening through configuration management | Configuration | |
| Verify the /usr/lib/trcload file is owned by an appropriate user or group. CC ID 05330 | System hardening through configuration management | Configuration | |
| Verify the /usr/lib/semutil file is owned by an appropriate user or group. CC ID 05331 | System hardening through configuration management | Configuration | |
| Verify system files are owned by an appropriate user or group. CC ID 05332 | System hardening through configuration management | Configuration | |
| Verify the default/skeleton dot files are owned by an appropriate user or group. CC ID 05333 | System hardening through configuration management | Configuration | |
| Verify the global initialization files are owned by an appropriate user or group. CC ID 05334 | System hardening through configuration management | Configuration | |
| Verify the /etc/rc.config.d/auditing file is owned by an appropriate user or group. CC ID 05335 | System hardening through configuration management | Configuration | |
| Verify the /etc/init.d file is owned by an appropriate user or group. CC ID 05336 | System hardening through configuration management | Configuration | |
| Verify the /etc/hosts.lpd file is owned by an appropriate user or group. CC ID 05337 | System hardening through configuration management | Configuration | |
| Verify the /etc/auto.master file is owned by an appropriate user or group. CC ID 05338 | System hardening through configuration management | Configuration | |
| Verify the /etc/auto.misc file is owned by an appropriate user or group. CC ID 05339 | System hardening through configuration management | Configuration | |
| Verify the /etc/auto.net file is owned by an appropriate user or group. CC ID 05340 | System hardening through configuration management | Configuration | |
| Verify the boot/grub/grub.conf file is owned by an appropriate user or group. CC ID 05341 | System hardening through configuration management | Configuration | |
| Verify the /etc/lilo.conf file is owned by an appropriate user or group. CC ID 05342 | System hardening through configuration management | Configuration | |
| Verify the /etc/login.access file is owned by an appropriate user or group. CC ID 05343 | System hardening through configuration management | Configuration | |
| Verify the /etc/security/access.conf file is owned by an appropriate user or group. CC ID 05344 | System hardening through configuration management | Configuration | |
| Verify the /etc/sysctl.conf file is owned by an appropriate user or group. CC ID 05345 | System hardening through configuration management | Configuration | |
| Configure the "secure_redirects" setting to organizational standards. CC ID 09941 | System hardening through configuration management | Configuration | |
| Configure the "icmp_ignore_bogus_error_responses" setting to organizational standards. CC ID 09942 | System hardening through configuration management | Configuration | |
| Configure the "rp_filter" setting to organizational standards. CC ID 09943 | System hardening through configuration management | Configuration | |
| Verify the /etc/securetty file is owned by an appropriate user or group. CC ID 05346 | System hardening through configuration management | Configuration | |
| Verify the /etc/audit/auditd.conf file is owned by an appropriate user or group. CC ID 05347 | System hardening through configuration management | Configuration | |
| Verify the audit.rules file is owned by an appropriate user or group. CC ID 05348 | System hardening through configuration management | Configuration | |
| Verify the /etc/group file is owned by an appropriate user or group. CC ID 05349 | System hardening through configuration management | Configuration | |
| Verify the /etc/gshadow file is owned by an appropriate user or group. CC ID 05350 | System hardening through configuration management | Configuration | |
| Verify the /usr/sbin/userhelper file is owned by an appropriate user or group. CC ID 05351 | System hardening through configuration management | Configuration | |
| Verify all syslog log files are owned by an appropriate user or group. CC ID 05352 | System hardening through configuration management | Configuration | |
| Verify the /etc/anacrontab file is owned by an appropriate user or group. CC ID 05353 | System hardening through configuration management | Configuration | |
| Verify the /etc/pki/tls/ldap file is owned by an appropriate user or group. CC ID 05354 | System hardening through configuration management | Configuration | |
| Verify the /etc/pki/tls/ldap/serverkey.pem file is owned by an appropriate user or group. CC ID 05355 | System hardening through configuration management | Configuration | |
| Verify the /etc/pki/tls/CA/cacert.pem file is owned by an appropriate user or group. CC ID 05356 | System hardening through configuration management | Configuration | |
| Verify the /etc/pki/tls/ldap/servercert.pem file is owned by an appropriate user or group. CC ID 05357 | System hardening through configuration management | Configuration | |
| Verify the var/lib/ldap/* files are owned by an appropriate user or group. CC ID 05358 | System hardening through configuration management | Configuration | |
| Verify the /etc/httpd/conf/* files are owned by an appropriate user or group. CC ID 05359 | System hardening through configuration management | Configuration | |
| Verify the /etc/auto_* file is owned by an appropriate user. CC ID 05360 | System hardening through configuration management | Configuration | |
| Verify the /etc/rmmount.conf file is owned by an appropriate user or group. CC ID 05361 | System hardening through configuration management | Configuration | |
| Verify the /var/log/pamlog log is owned by an appropriate user or group. CC ID 05362 | System hardening through configuration management | Configuration | |
| Verify the /etc/security/audit_control file is owned by an appropriate user or group. CC ID 05363 | System hardening through configuration management | Configuration | |
| Verify the /etc/security/audit_class file is owned by an appropriate user or group. CC ID 05364 | System hardening through configuration management | Configuration | |
| Verify the /etc/security/audit_event file is owned by an appropriate user or group. CC ID 05365 | System hardening through configuration management | Configuration | |
| Verify the ASET userlist file is owned by an appropriate user or group. CC ID 05366 | System hardening through configuration management | Configuration | |
| Verify the /var directory is owned by an appropriate user. CC ID 05367 | System hardening through configuration management | Configuration | |
| Verify the /var/log directory is owned by an appropriate user. CC ID 05368 | System hardening through configuration management | Configuration | |
| Verify the /var/adm directory is owned by an appropriate user. CC ID 05369 | System hardening through configuration management | Configuration | |
| Restrict the debug level daemon logging file owner and daemon debug group owner. CC ID 05370 | System hardening through configuration management | Configuration | |
| Restrict the Cron log file owner and Cron group owner. CC ID 05371 | System hardening through configuration management | Configuration | |
| Restrict the system accounting file owner and system accounting group owner. CC ID 05372 | System hardening through configuration management | Configuration | |
| Restrict audit log file ownership and audit group ownership. CC ID 05373 | System hardening through configuration management | Configuration | |
| Set the X server timeout properly. CC ID 05374 | System hardening through configuration management | Configuration | |
| Configure each user's authentication mechanism (system attribute) properly. CC ID 05375 | System hardening through configuration management | Configuration | |
| Enable or disable SeLinux, as appropriate. CC ID 05376 | System hardening through configuration management | Configuration | |
| Set the SELinux state properly. CC ID 05377 | System hardening through configuration management | Configuration | |
| Set the SELinux policy properly. CC ID 05378 | System hardening through configuration management | Configuration | |
| Configure Dovecot properly. CC ID 05379 | System hardening through configuration management | Configuration | |
| Configure the "Prohibit Access of the Windows Connect Now Wizards" setting. CC ID 05380 | System hardening through configuration management | Configuration | |
| Configure the "Allow remote access to the PnP interface" setting. CC ID 05381 | System hardening through configuration management | Configuration | |
| Configure the "Do not create system restore point when new device driver installed" setting. CC ID 05382 | System hardening through configuration management | Configuration | |
| Configure the "Turn Off Access to All Windows Update Feature" setting. CC ID 05383 | System hardening through configuration management | Configuration | |
| Configure the "Turn Off Automatic Root Certificates Update" setting. CC ID 05384 | System hardening through configuration management | Configuration | |
| Configure the "Turn Off Event Views 'Events.asp' Links" setting. CC ID 05385 | System hardening through configuration management | Configuration | |
| Configure "Turn Off Handwriting Recognition Error Reporting" to organizational standards. CC ID 05386 | System hardening through configuration management | Configuration | |
| Configure the "Turn off Help and Support Center 'Did You Know?' content" setting. CC ID 05387 | System hardening through configuration management | Configuration | |
| Configure the "Turn Off Help and Support Center Microsoft Knowledge Base Search" setting. CC ID 05388 | System hardening through configuration management | Configuration | |
| Configure the "Turn Off Internet File Association Service" setting. CC ID 05389 | System hardening through configuration management | Configuration | |
| Configure the "Turn Off Registration if URL Connection is Referring to Microsoft.com" setting. CC ID 05390 | System hardening through configuration management | Configuration | |
| Configure the "Turn off the 'Order Prints' Picture task" setting. CC ID 05391 | System hardening through configuration management | Configuration | |
| Configure the "Turn Off Windows Movie Maker Online Web Links" setting. CC ID 05392 | System hardening through configuration management | Configuration | |
| Configure the "Turn Off Windows Movie Maker Saving to Online Video Hosting Provider" setting. CC ID 05393 | System hardening through configuration management | Configuration | |
| Configure the "Don't Display the Getting Started Welcome Screen at Logon" setting. CC ID 05394 | System hardening through configuration management | Configuration | |
| Configure the "Turn off Windows Startup Sound" setting. CC ID 05395 | System hardening through configuration management | Configuration | |
| Configure the "Allow only Vista or later connections" setting. CC ID 05396 | System hardening through configuration management | Configuration | |
| Configure the "Turn on bandwidth optimization" setting. CC ID 05397 | System hardening through configuration management | Configuration | |
| Configure the "Prevent IIS Installation" setting. CC ID 05398 | System hardening through configuration management | Configuration | |
| Configure the "Turn off Active Help" setting. CC ID 05399 | System hardening through configuration management | Configuration | |
| Configure the "Turn off Untrusted Content" setting. CC ID 05400 | System hardening through configuration management | Configuration | |
| Configure the "Turn off downloading of enclosures" setting. CC ID 05401 | System hardening through configuration management | Configuration | |
| Configure "Allow indexing of encrypted files" to organizational standards. CC ID 05402 | System hardening through configuration management | Configuration | |
| Configure the "Prevent indexing uncached Exchange folders" setting. CC ID 05403 | System hardening through configuration management | Configuration | |
| Configure the "Turn off Windows Calendar" setting. CC ID 05404 | System hardening through configuration management | Configuration | |
| Configure the "Turn off Windows Defender" setting. CC ID 05405 | System hardening through configuration management | Configuration | |
| Configure the "Turn off Heap termination on corruption" setting to organizational standards. CC ID 05406 | System hardening through configuration management | Configuration | |
| Configure the "Turn off shell protocol protected mode" setting to organizational standards. CC ID 05407 | System hardening through configuration management | Configuration | |
| Configure the "Prohibit non-administrators from applying vendor signed updates" setting. CC ID 05408 | System hardening through configuration management | Configuration | |
| Configure the "Report when logon server was not available during user logon" setting. CC ID 05409 | System hardening through configuration management | Configuration | |
| Configure the "Turn off the communication features" setting. CC ID 05410 | System hardening through configuration management | Configuration | |
| Configure the "Turn off Windows Mail application" setting. CC ID 05411 | System hardening through configuration management | Configuration | |
| Configure the "Prevent Windows Media DRM Internet Access" setting. CC ID 05412 | System hardening through configuration management | Configuration | |
| Configure the "Turn off Windows Meeting Space" setting. CC ID 05413 | System hardening through configuration management | Configuration | |
| Configure the "Turn on Windows Meeting Space auditing" setting. CC ID 05414 | System hardening through configuration management | Configuration | |
| Configure the "Disable unpacking and installation of gadgets that are not digitally signed" setting. CC ID 05415 | System hardening through configuration management | Configuration | |
| Configure the "Override the More Gadgets Link" setting. CC ID 05416 | System hardening through configuration management | Configuration | |
| Configure the "Turn Off User Installed Windows Sidebar Gadgets" setting. CC ID 05417 | System hardening through configuration management | Configuration | |
| Configure the "Do not allow Digital Locker to run" setting. CC ID 05418 | System hardening through configuration management | Configuration | |
| Configure the "Turn off Downloading of Game Information" setting. CC ID 05419 | System hardening through configuration management | Configuration | |
| Configure "Turn on Responder (RSPNDR) driver" to organizational standards. CC ID 05420 | System hardening through configuration management | Configuration | |
| Verify ExecShield has been randomly placed in Virtual Memory regions. CC ID 05436 | System hardening through configuration management | Configuration | |
| Enable the ExecShield, as appropriate. CC ID 05421 | System hardening through configuration management | Configuration | |
| Configure Kernel support for the XD/NX processor feature, as appropriate. CC ID 05422 | System hardening through configuration management | Configuration | |
| Configure the XD/NX processor feature in the BIOS, as appropriate. CC ID 05423 | System hardening through configuration management | Configuration | |
| Configure the Shell for the bin account properly. CC ID 05424 | System hardening through configuration management | Configuration | |
| Configure the Shell for the nuucp account properly. CC ID 05425 | System hardening through configuration management | Configuration | |
| Configure the Shell for the smmsp account properly. CC ID 05426 | System hardening through configuration management | Configuration | |
| Configure the Shell for the listen account properly. CC ID 05427 | System hardening through configuration management | Configuration | |
| Configure the Shell for the gdm account properly. CC ID 05428 | System hardening through configuration management | Configuration | |
| Configure the Shell for the webservd account properly. CC ID 05429 | System hardening through configuration management | Configuration | |
| Configure the Shell for the nobody account properly. CC ID 05430 | System hardening through configuration management | Configuration | |
| Configure the Shell for the noaccess account properly. CC ID 05431 | System hardening through configuration management | Configuration | |
| Configure the Shell for the nobody4 account properly. CC ID 05432 | System hardening through configuration management | Configuration | |
| Configure the Shell for the adm account properly. CC ID 05433 | System hardening through configuration management | Configuration | |
| Configure the Shell for the lp account properly. CC ID 05434 | System hardening through configuration management | Configuration | |
| Configure the Shell for the uucp account properly. CC ID 05435 | System hardening through configuration management | Configuration | |
| Set the noexec_user_stack parameter properly. CC ID 05437 | System hardening through configuration management | Configuration | |
| Set the no_exec_user_stack_log parameter properly. CC ID 05438 | System hardening through configuration management | Configuration | |
| Set the noexec_user_stack flag on the user stack properly. CC ID 05439 | System hardening through configuration management | Configuration | |
| Set the TCP max connection limit properly. CC ID 05440 | System hardening through configuration management | Configuration | |
| Set the TCP abort interval properly. CC ID 05441 | System hardening through configuration management | Configuration | |
| Enable or disable the GNOME screenlock, as appropriate. CC ID 05442 | System hardening through configuration management | Configuration | |
| Set the ARP cache cleanup interval properly. CC ID 05443 | System hardening through configuration management | Configuration | |
| Set the ARP IRE scan rate properly. CC ID 05444 | System hardening through configuration management | Configuration | |
| Disable proxy ARP on all interfaces. CC ID 06570 | System hardening through configuration management | Configuration | |
| Set the FileSpaceSwitch variable to an appropriate value. CC ID 05445 | System hardening through configuration management | Configuration | |
| Set the wakeup switchpoint frequency to an appropriate time interval. CC ID 05446 | System hardening through configuration management | Configuration | |
| Enable or disable the setuid option on removable storage media, as appropriate. CC ID 05447 | System hardening through configuration management | Configuration | |
| Configure TCP/IP PMTU Discovery, as appropriate. CC ID 05991 | System hardening through configuration management | Configuration | |
| Configure Secure Shell to enable or disable empty passwords, as appropriate. CC ID 06016 | System hardening through configuration management | Configuration | |
| Configure each user's Screen Saver Executable Name. CC ID 06027 | System hardening through configuration management | Configuration | |
| Configure the NIS+ server to operate at an appropriate security level. CC ID 06038 | System hardening through configuration management | Configuration | |
| Configure the "restrict guest access to system log" policy, as appropriate. CC ID 06047 | System hardening through configuration management | Configuration | |
| Configure the "Block saving of Open XML file types" setting, as appropriate. CC ID 06048 | System hardening through configuration management | Configuration | |
| Enable or disable user-initiated system crashes via the CTRL+SCROLL LOCK+SCROLL LOCK sequence for keyboards. CC ID 06051 | System hardening through configuration management | Configuration | |
| Configure the "Syskey mode" to organizational standards. CC ID 06052 | System hardening through configuration management | Configuration | |
| Configure the Trusted Platform Module (TPM) platform validation profile, as appropriate. CC ID 06056 | System hardening through configuration management | Configuration | |
| Configure the "Allow Remote Shell Access" setting, as appropriate. CC ID 06057 | System hardening through configuration management | Configuration | |
| Configure the "Prevent the computer from joining a homegroup" setting, as appropriate. CC ID 06058 | System hardening through configuration management | Configuration | |
| Enable or disable the authenticator requirement after waking, as appropriate. CC ID 06059 | System hardening through configuration management | Configuration | |
| Enable or disable the standby states, as appropriate. CC ID 06060 | System hardening through configuration management | Configuration | |
| Configure the Trusted Platform Module startup options properly. CC ID 06061 | System hardening through configuration management | Configuration | |
| Configure the system to purge Policy Caches. CC ID 06569 | System hardening through configuration management | Configuration | |
| Separate authenticator files and application system data on different file systems. CC ID 06790 | System hardening through configuration management | Configuration | |
| Configure Application Programming Interfaces to limit or shut down interactivity based upon a rate limit. CC ID 06811 | System hardening through configuration management | Configuration | |
| Configure the "all world-writable directories" user ownership to organizational standards. CC ID 08714 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "all rsyslog log" files group ownership to organizational standards. CC ID 08715 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "all rsyslog log" files user ownership to organizational standards. CC ID 08716 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "Executable stack" setting to organizational standards. CC ID 08969 | System hardening through configuration management | Configuration | |
| Configure the "smbpasswd executable" user ownership to organizational standards. CC ID 08975 | System hardening through configuration management | Configuration | |
| Configure the "traceroute executable" group ownership to organizational standards. CC ID 08980 | System hardening through configuration management | Configuration | |
| Configure the "traceroute executable" user ownership to organizational standards. CC ID 08981 | System hardening through configuration management | Configuration | |
| Configure the "Apache configuration" directory group ownership to organizational standards. CC ID 08991 | System hardening through configuration management | Configuration | |
| Configure the "Apache configuration" directory user ownership to organizational standards. CC ID 08992 | System hardening through configuration management | Configuration | |
| Configure the "/var/log/httpd/" file group ownership to organizational standards. CC ID 09027 | System hardening through configuration management | Configuration | |
| Configure the "/etc/httpd/conf.d" file group ownership to organizational standards. CC ID 09028 | System hardening through configuration management | Configuration | |
| Configure the "/etc/httpd/conf/passwd" file group ownership to organizational standards. CC ID 09029 | System hardening through configuration management | Configuration | |
| Configure the "/usr/sbin/apachectl" file group ownership to organizational standards. CC ID 09030 | System hardening through configuration management | Configuration | |
| Configure the "/usr/sbin/httpd" file group ownership to organizational standards. CC ID 09031 | System hardening through configuration management | Configuration | |
| Configure the "/var/www/html" file group ownership to organizational standards. CC ID 09032 | System hardening through configuration management | Configuration | |
| Configure the "log files" the "/var/log/httpd/" directory user ownership to organizational standards. CC ID 09034 | System hardening through configuration management | Configuration | |
| Configure the "/etc/httpd/conf.d" file ownership to organizational standards. CC ID 09035 | System hardening through configuration management | Configuration | |
| Configure the "/etc/httpd/conf/passwd" file ownership to organizational standards. CC ID 09036 | System hardening through configuration management | Configuration | |
| Configure the "/usr/sbin/apachectl" file ownership to organizational standards. CC ID 09037 | System hardening through configuration management | Configuration | |
| Configure the "/usr/sbin/httpd" file ownership to organizational standards. CC ID 09038 | System hardening through configuration management | Configuration | |
| Configure the "/var/www/html" file ownership to organizational standards. CC ID 09039 | System hardening through configuration management | Configuration | |
| Configure the "httpd.conf" file user ownership to organizational standards. CC ID 09055 | System hardening through configuration management | Configuration | |
| Configure the "httpd.conf" group ownership to organizational standards. CC ID 09056 | System hardening through configuration management | Configuration | |
| Configure the "htpasswd" file user ownership to organizational standards. CC ID 09058 | System hardening through configuration management | Configuration | |
| Configure the "htpasswd" file group ownership to organizational standards. CC ID 09059 | System hardening through configuration management | Configuration | |
| Configure the "files specified by CustomLog" user ownership to organizational standards. CC ID 09074 | System hardening through configuration management | Configuration | |
| Configure the "files specified by CustomLog" group ownership to organizational standards. CC ID 09075 | System hardening through configuration management | Configuration | |
| Configure the "files specified by ErrorLog" user ownership to organizational standards. CC ID 09076 | System hardening through configuration management | Configuration | |
| Configure the "files specified by ErrorLog" group ownership to organizational standards. CC ID 09077 | System hardening through configuration management | Configuration | |
| Configure the "directories specified by ScriptAlias" user ownership to organizational standards. CC ID 09079 | System hardening through configuration management | Configuration | |
| Configure the "directories specified by ScriptAlias" group ownership to organizational standards. CC ID 09080 | System hardening through configuration management | Configuration | |
| Configure the "directories specified by ScriptAliasMatch" user ownership to organizational standards. CC ID 09082 | System hardening through configuration management | Configuration | |
| Configure the "directories specified by ScriptAliasMatch" group ownership to organizational standards. CC ID 09083 | System hardening through configuration management | Configuration | |
| Configure the "directories specified by DocumentRoot" user ownership to organizational standards. CC ID 09085 | System hardening through configuration management | Configuration | |
| Configure the "directories specified by DocumentRoot" group ownership to organizational standards. CC ID 09086 | System hardening through configuration management | Configuration | |
| Configure the "directories specified by Alias" user ownership to organizational standards. CC ID 09088 | System hardening through configuration management | Configuration | |
| Configure the "directories specified by Alias" group ownership to organizational standards. CC ID 09089 | System hardening through configuration management | Configuration | |
| Configure the "directories specified by ServerRoot" user ownership to organizational standards. CC ID 09091 | System hardening through configuration management | Configuration | |
| Configure the "directories specified by ServerRoot" group ownership to organizational standards. CC ID 09092 | System hardening through configuration management | Configuration | |
| Configure the "apache /bin" directory user ownership to organizational standards. CC ID 09094 | System hardening through configuration management | Configuration | |
| Configure the "apache /bin" directory group ownership to organizational standards. CC ID 09095 | System hardening through configuration management | Configuration | |
| Configure the "apache /logs" directory user ownership to organizational standards. CC ID 09097 | System hardening through configuration management | Configuration | |
| Configure the "apache /logs" directory group ownership to organizational standards. CC ID 09098 | System hardening through configuration management | Configuration | |
| Configure the "apache /htdocs" directory user ownership to organizational standards. CC ID 09100 | System hardening through configuration management | Configuration | |
| Configure the "apache /htdocs" directory group ownership to organizational standards. CC ID 09101 | System hardening through configuration management | Configuration | |
| Configure the "apache /cgi-bin" directory group ownership to organizational standards. CC ID 09104 | System hardening through configuration management | Configuration | |
| Configure the "User-specific directories" setting to organizational standards. CC ID 09123 | System hardening through configuration management | Configuration | |
| Configure the "apache process ID" file user ownership to organizational standards. CC ID 09125 | System hardening through configuration management | Configuration | |
| Configure the "apache process ID" file group ownership to organizational standards. CC ID 09126 | System hardening through configuration management | Configuration | |
| Configure the "apache scoreboard" file user ownership to organizational standards. CC ID 09128 | System hardening through configuration management | Configuration | |
| Configure the "apache scoreboard" file group ownership to organizational standards. CC ID 09129 | System hardening through configuration management | Configuration | |
| Configure the "Ownership of the asymmetric keys" setting to organizational standards. CC ID 09289 | System hardening through configuration management | Configuration | |
| Configure the "SQLServer2005ReportServerUser" registry key permissions to organizational standards. CC ID 09326 | System hardening through configuration management | Configuration | |
| Configure the "SQLServerADHelperUser" registry key permissions to organizational standards. CC ID 09329 | System hardening through configuration management | Configuration | |
| Configure the "Tomcat home" directory user ownership to organizational standards. CC ID 09772 | System hardening through configuration management | Configuration | |
| Configure the "group" setting for the "Tomcat installation" to organizational standards. CC ID 09773 | System hardening through configuration management | Configuration | |
| Configure the "tomcat conf/" directory user ownership to organizational standards. CC ID 09774 | System hardening through configuration management | Configuration | |
| Configure the "tomcat conf/" directory group ownership to organizational standards. CC ID 09775 | System hardening through configuration management | Configuration | |
| Configure the "tomcat-users.xml" file user ownership to organizational standards. CC ID 09776 | System hardening through configuration management | Configuration | |
| Configure the "tomcat-users.xml" file group ownership to organizational standards. CC ID 09777 | System hardening through configuration management | Configuration | |
| Configure the "group membership" setting for "Tomcat" to organizational standards. CC ID 09793 | System hardening through configuration management | Configuration | |
| Configure the "Tomcat home" directory group ownership to organizational standards. CC ID 09798 | System hardening through configuration management | Configuration | |
| Configure the "Tomcat home/conf/" directory user ownership to organizational standards. CC ID 09800 | System hardening through configuration management | Configuration | |
| Configure the "Tomcat home/conf/" directory group ownership to organizational standards. CC ID 09801 | System hardening through configuration management | Configuration | |
| Configure the "system" files permissions to organizational standards. CC ID 09922 | System hardening through configuration management | Configuration | |
| Configure the "size limit" setting for the "application log" to organizational standards. CC ID 10063 | System hardening through configuration management | Configuration | |
| Configure the "restrict guest access to security log" setting to organizational standards. CC ID 10064 | System hardening through configuration management | Configuration | |
| Configure the "size limit" setting for the "system log" to organizational standards. CC ID 10065 | System hardening through configuration management | Configuration | |
| Configure the "Automatic Update service" setting to organizational standards. CC ID 10066 | System hardening through configuration management | Configuration | |
| Configure the "Safe DLL Search Mode" setting to organizational standards. CC ID 10067 | System hardening through configuration management | Configuration | |
| Configure the "screensaver" setting to organizational standards. CC ID 10068 | System hardening through configuration management | Configuration | |
| Configure the "screensaver" setting for the "default" user to organizational standards. CC ID 10069 | System hardening through configuration management | Configuration | |
| Configure the "Enable User Control Over Installs" setting to organizational standards. CC ID 10070 | System hardening through configuration management | Configuration | |
| Configure the "Enable User to Browser for Source While Elevated" setting to organizational standards. CC ID 10071 | System hardening through configuration management | Configuration | |
| Configure the "Enable User to Use Media Source While Elevated" setting to organizational standards. CC ID 10072 | System hardening through configuration management | Configuration | |
| Configure the "Allow Administrator to Install from Terminal Services Session" setting to organizational standards. CC ID 10073 | System hardening through configuration management | Configuration | |
| Configure the "Enable User to Patch Elevated Products" setting to organizational standards. CC ID 10074 | System hardening through configuration management | Configuration | |
| Configure the "Cache Transforms in Secure Location" setting to organizational standards. CC ID 10075 | System hardening through configuration management | Configuration | |
| Configure the "Disable Media Player for automatic updates" setting to organizational standards. CC ID 10076 | System hardening through configuration management | Configuration | |
| Configure the "Internet access for Windows Messenger" setting to organizational standards. CC ID 10077 | System hardening through configuration management | Configuration | |
| Configure the "Do Not Automatically Start Windows Messenger" setting to organizational standards. CC ID 10078 | System hardening through configuration management | Configuration | |
| Configure the "Hide Property Pages" setting for the "task scheduler" to organizational standards. CC ID 10079 | System hardening through configuration management | Configuration | |
| Configure the "Prohibit New Task Creation" setting for the "task scheduler" to organizational standards. CC ID 10080 | System hardening through configuration management | Configuration | |
| Configure "Set time limit for disconnected sessions" to organizational standards. CC ID 10081 | System hardening through configuration management | Configuration | |
| Configure the "Set time limit for idle sessions" setting to organizational standards. CC ID 10082 | System hardening through configuration management | Configuration | |
| Configure the "Enable Keep-Alive Messages" setting to organizational standards. CC ID 10083 | System hardening through configuration management | Configuration | |
| Configure the "Automatic Updates detection frequency" setting to organizational standards. CC ID 10084 | System hardening through configuration management | Configuration | |
| Configure the "TCPMaxPortsExhausted" setting to organizational standards. CC ID 10085 | System hardening through configuration management | Configuration | |
| Configure the "built-in Administrator" account to organizational standards. CC ID 10086 | System hardening through configuration management | Configuration | |
| Configure the "Prevent System Maintenance of Computer Account Password" setting to organizational standards. CC ID 10087 | System hardening through configuration management | Configuration | |
| Configure the "Digitally Sign Client Communication (When Possible)" setting to organizational standards. CC ID 10088 | System hardening through configuration management | Configuration | |
| Configure the "number of SYN-ACK retransmissions sent when attempting to respond to a SYN request" setting to organizational standards. CC ID 10089 | System hardening through configuration management | Configuration | |
| Configure the "warning level" setting for the "audit log" to organizational standards. CC ID 10090 | System hardening through configuration management | Configuration | |
| Configure the "Change Password" setting for the "Ctrl+Alt+Del dialog" to organizational standards. CC ID 10091 | System hardening through configuration management | Configuration | |
| Configure the "account description" setting for the "built-in Administrator" account to organizational standards. CC ID 10092 | System hardening through configuration management | Configuration | |
| Configure the "Decoy Admin Account Not Disabled" setting to organizational standards. CC ID 10201 | System hardening through configuration management | Configuration | |
| Configure the "when maximum log size is reached" setting for the "Application log" to organizational standards. CC ID 10202 | System hardening through configuration management | Configuration | |
| Configure the "password filtering DLL" setting to organizational standards. CC ID 10203 | System hardening through configuration management | Configuration | |
| Configure the "Anonymous access to the registry" setting to organizational standards. CC ID 10204 | System hardening through configuration management | Configuration | |
| Configure the "Automatic Execution" setting for the "System Debugger" to organizational standards. CC ID 10205 | System hardening through configuration management | Configuration | |
| Configure the "CD-ROM Autorun" setting to organizational standards. CC ID 10206 | System hardening through configuration management | Configuration | |
| Configure the "ResetBrowser Frames" setting to organizational standards. CC ID 10207 | System hardening through configuration management | Configuration | |
| Configure the "Dr. Watson Crash Dumps" setting to organizational standards. CC ID 10208 | System hardening through configuration management | Configuration | |
| Configure the "File System Checker and Popups" setting to organizational standards. CC ID 10209 | System hardening through configuration management | Configuration | |
| Configure the "System File Checker" setting to organizational standards. CC ID 10210 | System hardening through configuration management | Configuration | |
| Configure the "System File Checker Progress Meter" setting to organizational standards. CC ID 10211 | System hardening through configuration management | Configuration | |
| Configure the "number of TCP/IP Maximum Half-open Sockets" setting to organizational standards. CC ID 10212 | System hardening through configuration management | Configuration | |
| Configure the "number of TCP/IP Maximum Retried Half-open Sockets" setting to organizational standards. CC ID 10213 | System hardening through configuration management | Configuration | |
| Configure the "Protect Kernel object attributes" setting to organizational standards. CC ID 10214 | System hardening through configuration management | Configuration | |
| Configure the "Unsigned Non-Driver Installation Behavior" setting to organizational standards. CC ID 10215 | System hardening through configuration management | Configuration | |
| Configure the "Automatically Log Off Users When Logon Time Expires (local)" setting to organizational standards. CC ID 10216 | System hardening through configuration management | Configuration | |
| Configure the "Local volumes" setting to organizational standards. CC ID 10217 | System hardening through configuration management | Configuration | |
| Configure the "Unused USB Ports" setting to organizational standards. CC ID 10218 | System hardening through configuration management | Configuration | |
| Configure the "Set Safe for Scripting" setting to organizational standards. CC ID 10219 | System hardening through configuration management | Configuration | |
| Configure the "Use of the Recycle Bin on file deletion" setting to organizational standards. CC ID 10220 | System hardening through configuration management | Configuration | |
| Configure the "Membership in the Power Users group" setting to organizational standards. CC ID 10224 | System hardening through configuration management | Configuration | |
| Configure the "AutoBackupLogFiles" setting for the "security log" to organizational standards. CC ID 10225 | System hardening through configuration management | Configuration | |
| Configure the "AutoBackupLogFiles" setting for the "application log" to organizational standards. CC ID 10226 | System hardening through configuration management | Configuration | |
| Configure the "AutoBackupLogFiles" setting for the "system log" to organizational standards. CC ID 10227 | System hardening through configuration management | Configuration | |
| Configure the "Syskey Encryption Key location and password method" setting to organizational standards. CC ID 10228 | System hardening through configuration management | Configuration | |
| Configure the "Os2LibPath environmental variable" setting to organizational standards. CC ID 10229 | System hardening through configuration management | Configuration | |
| Configure the "path to the Microsoft OS/2 version 1.x library" setting to organizational standards. CC ID 10230 | System hardening through configuration management | Configuration | |
| Configure the "location of the OS/2 subsystem" setting to organizational standards. CC ID 10231 | System hardening through configuration management | Configuration | |
| Configure the "location of the POSIX subsystem" setting to organizational standards. CC ID 10232 | System hardening through configuration management | Configuration | |
| Configure the "path to the debugger used for Just-In-Time debugging" setting to organizational standards. CC ID 10234 | System hardening through configuration management | Configuration | |
| Configure the "Distributed Component Object Model (DCOM)" setting to organizational standards. CC ID 10235 | System hardening through configuration management | Configuration | |
| Configure the "The "encryption algorithm" setting for "EFS"" setting to organizational standards. CC ID 10236 | System hardening through configuration management | Configuration | |
| Configure the "Interix Subsystem Startup service startup type" setting to organizational standards. CC ID 10238 | System hardening through configuration management | Configuration | |
| Configure the "Services for Unix Perl Socket service startup type" setting to organizational standards. CC ID 10247 | System hardening through configuration management | Configuration | |
| Configure the "Services for Unix Windows Cron service startup type" setting to organizational standards. CC ID 10248 | System hardening through configuration management | Configuration | |
| Configure the "fDisableCdm" setting to organizational standards. CC ID 10259 | System hardening through configuration management | Configuration | |
| Configure the "fDisableClip" setting to organizational standards. CC ID 10260 | System hardening through configuration management | Configuration | |
| Configure the "Inheritance of the shadow setting" setting to organizational standards. CC ID 10261 | System hardening through configuration management | Configuration | |
| Configure the "remote control configuration" setting to organizational standards. CC ID 10262 | System hardening through configuration management | Configuration | |
| Configure the "fDisableCam" setting to organizational standards. CC ID 10263 | System hardening through configuration management | Configuration | |
| Configure the "fDisableCcm" setting to organizational standards. CC ID 10264 | System hardening through configuration management | Configuration | |
| Configure the "fDisableLPT" setting to organizational standards. CC ID 10265 | System hardening through configuration management | Configuration | |
| Configure the "ActiveX installation policy for sites in Trusted zones" setting to organizational standards. CC ID 10691 | System hardening through configuration management | Configuration | |
| Configure the "Add the Administrators security group to roaming user profiles" setting to organizational standards. CC ID 10694 | System hardening through configuration management | Configuration | |
| Configure the "Administratively assigned offline files" setting to organizational standards. CC ID 10695 | System hardening through configuration management | Configuration | |
| Configure the "Apply policy to removable media" setting to organizational standards. CC ID 10756 | System hardening through configuration management | Configuration | |
| Configure the "Baseline file cache maximum size" setting to organizational standards. CC ID 10763 | System hardening through configuration management | Configuration | |
| Configure the "Check for New Signatures Before Scheduled Scans" setting to organizational standards. CC ID 10770 | System hardening through configuration management | Configuration | |
| Configure the "Check published state" setting to organizational standards. CC ID 10771 | System hardening through configuration management | Configuration | |
| Configure the "Communities" setting to organizational standards. CC ID 10772 | System hardening through configuration management | Configuration | |
| Configure the "Computer location" setting to organizational standards. CC ID 10773 | System hardening through configuration management | Configuration | |
| Configure the "Background Sync" setting to organizational standards. CC ID 10775 | System hardening through configuration management | Configuration | |
| Configure the "Corporate Windows Error Reporting" setting to organizational standards. CC ID 10777 | System hardening through configuration management | Configuration | |
| Configure the "Corrupted File Recovery Behavior" setting to organizational standards. CC ID 10778 | System hardening through configuration management | Configuration | |
| Configure the "Default consent" setting to organizational standards. CC ID 10780 | System hardening through configuration management | Configuration | |
| Configure the "list of IEEE 1667 silos usable on your computer" setting to organizational standards. CC ID 10792 | System hardening through configuration management | Configuration | |
| Configure the "Microsoft SpyNet Reporting" setting to organizational standards. CC ID 10794 | System hardening through configuration management | Configuration | |
| Configure the "MSI Corrupted File Recovery Behavior" setting to organizational standards. CC ID 10795 | System hardening through configuration management | Configuration | |
| Configure the "Reliability WMI Providers" setting to organizational standards. CC ID 10804 | System hardening through configuration management | Configuration | |
| Configure the "Report Archive" setting to organizational standards. CC ID 10805 | System hardening through configuration management | Configuration | |
| Configure the "Report Queue" setting to organizational standards. CC ID 10806 | System hardening through configuration management | Configuration | |
| Configure the "root certificate clean up" setting to organizational standards. CC ID 10807 | System hardening through configuration management | Configuration | |
| Configure the "Security Policy for Scripted Diagnostics" setting to organizational standards. CC ID 10816 | System hardening through configuration management | Configuration | |
| Configure the "list of blocked TPM commands" setting to organizational standards. CC ID 10822 | System hardening through configuration management | Configuration | |
| Configure the "refresh interval for Server Manager" setting to organizational standards. CC ID 10823 | System hardening through configuration management | Configuration | |
| Configure the "server address, refresh interval, and issuer certificate authority of a target Subscription Manager" setting to organizational standards. CC ID 10824 | System hardening through configuration management | Configuration | |
| Configure the "Customize consent settings" setting to organizational standards. CC ID 10837 | System hardening through configuration management | Configuration | |
| Configure the "Default behavior for AutoRun" setting to organizational standards. CC ID 10839 | System hardening through configuration management | Configuration | |
| Configure the "Define Activation Security Check exemptions" setting to organizational standards. CC ID 10841 | System hardening through configuration management | Configuration | |
| Configure the "Define host name-to-Kerberos realm mappings" setting to organizational standards. CC ID 10842 | System hardening through configuration management | Configuration | |
| Configure the "Define interoperable Kerberos V5 realm settings" setting to organizational standards. CC ID 10843 | System hardening through configuration management | Configuration | |
| Configure the "Delay Restart for scheduled installations" setting to organizational standards. CC ID 10844 | System hardening through configuration management | Configuration | |
| Configure the "Delete cached copies of roaming profiles" setting to organizational standards. CC ID 10845 | System hardening through configuration management | Configuration | |
| Configure the "Delete user profiles older than a specified number of days on system restart" setting to organizational standards. CC ID 10847 | System hardening through configuration management | Configuration | |
| Configure the "Diagnostics: Configure scenario retention" setting to organizational standards. CC ID 10857 | System hardening through configuration management | Configuration | |
| Configure the "Directory pruning interval" setting to organizational standards. CC ID 10858 | System hardening through configuration management | Configuration | |
| Configure the "Directory pruning priority" setting to organizational standards. CC ID 10859 | System hardening through configuration management | Configuration | |
| Configure the "Directory pruning retry" setting to organizational standards. CC ID 10860 | System hardening through configuration management | Configuration | |
| Configure the "Disk Diagnostic: Configure custom alert text" setting to organizational standards. CC ID 10882 | System hardening through configuration management | Configuration | |
| Configure the "Display Shutdown Event Tracker" setting to organizational standards. CC ID 10888 | System hardening through configuration management | Configuration | |
| Configure the "Display string when smart card is blocked" setting to organizational standards. CC ID 10889 | System hardening through configuration management | Configuration | |
| Configure the "Do not automatically encrypt files moved to encrypted folders" setting to organizational standards. CC ID 10924 | System hardening through configuration management | Configuration | |
| Configure the "Do not check for user ownership of Roaming Profile Folders" setting to organizational standards. CC ID 10925 | System hardening through configuration management | Configuration | |
| Configure the "Do not process incoming mailslot messages used for domain controller location based on NetBIOS domain names" setting to organizational standards. CC ID 10932 | System hardening through configuration management | Configuration | |
| Configure the "Do not send additional data" machine setting should be configured correctly. to organizational standards. CC ID 10934 | System hardening through configuration management | Configuration | |
| Configure the "Domain Controller Address Type Returned" setting to organizational standards. CC ID 10939 | System hardening through configuration management | Configuration | |
| Configure the "Domain Location Determination URL" setting to organizational standards. CC ID 10940 | System hardening through configuration management | Configuration | |
| Configure the "Don't set the always do this checkbox" setting to organizational standards. CC ID 10941 | System hardening through configuration management | Configuration | |
| Configure the "Download missing COM components" setting to organizational standards. CC ID 10942 | System hardening through configuration management | Configuration | |
| Configure the "Dynamic Update" setting to organizational standards. CC ID 10944 | System hardening through configuration management | Configuration | |
| Configure the "Enable client-side targeting" setting to organizational standards. CC ID 10946 | System hardening through configuration management | Configuration | |
| Configure the "Enable NTFS pagefile encryption" setting to organizational standards. CC ID 10948 | System hardening through configuration management | Configuration | |
| Configure the "Enable Persistent Time Stamp" setting to organizational standards. CC ID 10949 | System hardening through configuration management | Configuration | |
| Configure the "Enable Transparent Caching" setting to organizational standards. CC ID 10950 | System hardening through configuration management | Configuration | |
| Configure the "Enable Windows NTP Client" setting to organizational standards. CC ID 10951 | System hardening through configuration management | Configuration | |
| Configure the "Enable Windows NTP Server" setting to organizational standards. CC ID 10952 | System hardening through configuration management | Configuration | |
| Configure the "Encrypt the Offline Files cache" setting to organizational standards. CC ID 10955 | System hardening through configuration management | Configuration | |
| Configure the "Enforce upgrade component rules" setting to organizational standards. CC ID 10958 | System hardening through configuration management | Configuration | |
| Configure the "Events.asp program" setting to organizational standards. CC ID 10959 | System hardening through configuration management | Configuration | |
| Configure the "Events.asp program command line parameters" setting to organizational standards. CC ID 10960 | System hardening through configuration management | Configuration | |
| Configure the "Events.asp URL" setting to organizational standards. CC ID 10961 | System hardening through configuration management | Configuration | |
| Configure the "Exclude credential providers" setting to organizational standards. CC ID 10962 | System hardening through configuration management | Configuration | |
| Configure the "Exclude files from being cached" setting to organizational standards. CC ID 10963 | System hardening through configuration management | Configuration | |
| Configure the "Final DC Discovery Retry Setting for Background Callers" setting to organizational standards. CC ID 10968 | System hardening through configuration management | Configuration | |
| Configure the "For tablet pen input, don't show the Input Panel icon" setting to organizational standards. CC ID 10973 | System hardening through configuration management | Configuration | |
| Configure the "For touch input, don't show the Input Panel icon" setting to organizational standards. CC ID 10974 | System hardening through configuration management | Configuration | |
| Configure the "Force Rediscovery Interval" setting to organizational standards. CC ID 10975 | System hardening through configuration management | Configuration | |
| Configure the "Force selected system UI language to overwrite the user UI language" setting to organizational standards. CC ID 10976 | System hardening through configuration management | Configuration | |
| Configure the "Force the reading of all certificates from the smart card" setting to organizational standards. CC ID 10977 | System hardening through configuration management | Configuration | |
| Configure the "ForwarderResourceUsage" setting to organizational standards. CC ID 10978 | System hardening through configuration management | Configuration | |
| Configure the "Global Configuration Settings" setting to organizational standards. CC ID 10979 | System hardening through configuration management | Configuration | |
| Configure the "Hash Publication for BranchCache" setting to organizational standards. CC ID 10986 | System hardening through configuration management | Configuration | |
| Configure the "Hide entry points for Fast User Switching" setting to organizational standards. CC ID 10987 | System hardening through configuration management | Configuration | |
| Configure the "Hide notifications about RD Licensing problems that affect the RD Session Host server" setting to organizational standards. CC ID 10988 | System hardening through configuration management | Configuration | |
| Configure the "Hide previous versions list for local files" setting to organizational standards. CC ID 10989 | System hardening through configuration management | Configuration | |
| Configure the "Hide previous versions of files on backup location" setting to organizational standards. CC ID 10991 | System hardening through configuration management | Configuration | |
| Configure the "Ignore custom consent settings" setting to organizational standards. CC ID 10992 | System hardening through configuration management | Configuration | |
| Configure the "Ignore Delegation Failure" setting to organizational standards. CC ID 10993 | System hardening through configuration management | Configuration | |
| Configure the "Ignore the default list of blocked TPM commands" setting to organizational standards. CC ID 10994 | System hardening through configuration management | Configuration | |
| Configure the "Ignore the local list of blocked TPM commands" setting to organizational standards. CC ID 10995 | System hardening through configuration management | Configuration | |
| Configure the "Include rarely used Chinese, Kanji, or Hanja characters" setting to organizational standards. CC ID 10996 | System hardening through configuration management | Configuration | |
| Configure the "Initial DC Discovery Retry Setting for Background Callers" setting to organizational standards. CC ID 10997 | System hardening through configuration management | Configuration | |
| Configure the "IP-HTTPS State" setting to organizational standards. CC ID 11000 | System hardening through configuration management | Configuration | |
| Configure the "ISATAP Router Name" setting to organizational standards. CC ID 11001 | System hardening through configuration management | Configuration | |
| Configure the "ISATAP State" setting to organizational standards. CC ID 11002 | System hardening through configuration management | Configuration | |
| Configure the "License server security group" setting to organizational standards. CC ID 11005 | System hardening through configuration management | Configuration | |
| Configure the "List of applications to be excluded" setting to organizational standards. CC ID 11023 | System hardening through configuration management | Configuration | |
| Configure the "Lock Enhanced Storage when the computer is locked" setting to organizational standards. CC ID 11025 | System hardening through configuration management | Configuration | |
| Configure the "Make Parental Controls control panel visible on a Domain" setting to organizational standards. CC ID 11039 | System hardening through configuration management | Configuration | |
| Configure the "MaxConcurrentUsers" setting to organizational standards. CC ID 11040 | System hardening through configuration management | Configuration | |
| Configure the "Maximum DC Discovery Retry Interval Setting for Background Callers" setting to organizational standards. CC ID 11041 | System hardening through configuration management | Configuration | |
| Configure the "Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with Support Provider" setting to organizational standards. CC ID 11045 | System hardening through configuration management | Configuration | |
| Configure the "Negative DC Discovery Cache Setting" setting to organizational standards. CC ID 11047 | System hardening through configuration management | Configuration | |
| Configure the "Non-conforming packets" setting to organizational standards. CC ID 11053 | System hardening through configuration management | Configuration | |
| Configure the "Notify blocked drivers" setting to organizational standards. CC ID 11054 | System hardening through configuration management | Configuration | |
| Configure the "Notify user of successful smart card driver installation" setting to organizational standards. CC ID 11055 | System hardening through configuration management | Configuration | |
| Configure the "Permitted Managers" setting to organizational standards. CC ID 11062 | System hardening through configuration management | Configuration | |
| Configure the "Positive Periodic DC Cache Refresh for Background Callers" setting to organizational standards. CC ID 11063 | System hardening through configuration management | Configuration | |
| Configure the "Positive Periodic DC Cache Refresh for Non-Background Callers" setting to organizational standards. CC ID 11064 | System hardening through configuration management | Configuration | |
| Configure the "Prioritize all digitally signed drivers equally during the driver ranking and selection process" setting to organizational standards. CC ID 11098 | System hardening through configuration management | Configuration | |
| Configure the "Prompt for credentials on the client computer" setting to organizational standards. CC ID 11108 | System hardening through configuration management | Configuration | |
| Configure the "Propagation of extended error information" setting to organizational standards. CC ID 11110 | System hardening through configuration management | Configuration | |
| Configure the "Register PTR Records" setting to organizational standards. CC ID 11121 | System hardening through configuration management | Configuration | |
| Configure the "Registration Refresh Interval" setting to organizational standards. CC ID 11122 | System hardening through configuration management | Configuration | |
| Configure the "Remove Program Compatibility Property Page" setting to organizational standards. CC ID 11128 | System hardening through configuration management | Configuration | |
| Configure the "Remove users ability to invoke machine policy refresh" setting to organizational standards. CC ID 11129 | System hardening through configuration management | Configuration | |
| Configure the "Remove Windows Security item from Start menu" setting to organizational standards. CC ID 11130 | System hardening through configuration management | Configuration | |
| Configure the "Re-prompt for restart with scheduled installations" setting to organizational standards. CC ID 11131 | System hardening through configuration management | Configuration | |
| Configure the "Require secure RPC communication" setting to organizational standards. CC ID 11134 | System hardening through configuration management | Configuration | |
| Configure the "Require strict KDC validation" setting to organizational standards. CC ID 11135 | System hardening through configuration management | Configuration | |
| Configure the "Reverse the subject name stored in a certificate when displaying" setting to organizational standards. CC ID 11148 | System hardening through configuration management | Configuration | |
| Configure the "RPC Troubleshooting State Information" setting to organizational standards. CC ID 11150 | System hardening through configuration management | Configuration | |
| Configure the "Run shutdown scripts visible" setting to organizational standards. CC ID 11152 | System hardening through configuration management | Configuration | |
| Configure the "Run startup scripts asynchronously" setting to organizational standards. CC ID 11153 | System hardening through configuration management | Configuration | |
| Configure the "Run startup scripts visible" setting to organizational standards. CC ID 11154 | System hardening through configuration management | Configuration | |
| Configure the "Scavenge Interval" setting to organizational standards. CC ID 11158 | System hardening through configuration management | Configuration | |
| Configure the "Server Authentication Certificate Template" setting to organizational standards. CC ID 11170 | System hardening through configuration management | Configuration | |
| Configure the "Set BranchCache Distributed Cache mode" setting to organizational standards. CC ID 11172 | System hardening through configuration management | Configuration | |
| Configure the "Set BranchCache Hosted Cache mode" setting to organizational standards. CC ID 11173 | System hardening through configuration management | Configuration | |
| Configure the "Set compression algorithm for RDP data" setting to organizational standards. CC ID 11174 | System hardening through configuration management | Configuration | |
| Configure the "Set percentage of disk space used for client computer cache" setting to organizational standards. CC ID 11177 | System hardening through configuration management | Configuration | |
| Configure the "Set PNRP cloud to resolve only" setting for "IPv6 Global" to organizational standards. CC ID 11178 | System hardening through configuration management | Configuration | |
| Configure the "Set PNRP cloud to resolve only" setting for "IPv6 Site Local" to organizational standards. CC ID 11180 | System hardening through configuration management | Configuration | |
| Configure the "Set the Email IDs to which notifications are to be sent" setting to organizational standards. CC ID 11184 | System hardening through configuration management | Configuration | |
| Configure the "Set the map update interval for NIS subordinate servers" setting to organizational standards. CC ID 11186 | System hardening through configuration management | Configuration | |
| Configure the "Set the Seed Server" setting for "IPv6 Global" to organizational standards. CC ID 11189 | System hardening through configuration management | Configuration | |
| Configure the "Set the Seed Server" setting for "IPv6 Site Local" to organizational standards. CC ID 11191 | System hardening through configuration management | Configuration | |
| Configure the "Set the SMTP Server used to send notifications" setting to organizational standards. CC ID 11192 | System hardening through configuration management | Configuration | |
| Configure the "Set timer resolution" setting to organizational standards. CC ID 11196 | System hardening through configuration management | Configuration | |
| Configure the "Sets how often a DFS Client discovers DC's" setting to organizational standards. CC ID 11199 | System hardening through configuration management | Configuration | |
| Configure the "Short name creation options" setting to organizational standards. CC ID 11200 | System hardening through configuration management | Configuration | |
| Configure the "Site Name" setting to organizational standards. CC ID 11201 | System hardening through configuration management | Configuration | |
| Configure the "Specify a default color" setting to organizational standards. CC ID 11208 | System hardening through configuration management | Configuration | |
| Configure the "Specify idle Timeout" setting to organizational standards. CC ID 11210 | System hardening through configuration management | Configuration | |
| Configure the "Specify maximum amount of memory in MB per Shell" setting to organizational standards. CC ID 11211 | System hardening through configuration management | Configuration | |
| Configure the "Specify maximum number of processes per Shell" setting to organizational standards. CC ID 11212 | System hardening through configuration management | Configuration | |
| Configure the "Specify Shell Timeout" setting to organizational standards. CC ID 11216 | System hardening through configuration management | Configuration | |
| Configure the "Specify Windows installation file location" setting to organizational standards. CC ID 11225 | System hardening through configuration management | Configuration | |
| Configure the "Specify Windows Service Pack installation file location" setting to organizational standards. CC ID 11226 | System hardening through configuration management | Configuration | |
| Configure the "SSL Cipher Suite Order" setting to organizational standards. CC ID 11227 | System hardening through configuration management | Configuration | |
| Configure the "Switch to the Simplified Chinese (PRC) gestures" setting to organizational standards. CC ID 11230 | System hardening through configuration management | Configuration | |
| Configure the "Sysvol share compatibility" setting to organizational standards. CC ID 11231 | System hardening through configuration management | Configuration | |
| Configure the "Tag Windows Customer Experience Improvement data with Study Identifier" setting to organizational standards. CC ID 11232 | System hardening through configuration management | Configuration | |
| Configure the "Teredo Client Port" setting to organizational standards. CC ID 11236 | System hardening through configuration management | Configuration | |
| Configure the "Teredo Default Qualified" setting to organizational standards. CC ID 11237 | System hardening through configuration management | Configuration | |
| Configure the "Teredo Refresh Rate" setting to organizational standards. CC ID 11238 | System hardening through configuration management | Configuration | |
| Configure the "Teredo Server Name" setting to organizational standards. CC ID 11239 | System hardening through configuration management | Configuration | |
| Configure the "Teredo State" setting to organizational standards. CC ID 11240 | System hardening through configuration management | Configuration | |
| Configure the "Time (in seconds) to force reboot" setting to organizational standards. CC ID 11242 | System hardening through configuration management | Configuration | |
| Configure the "Time (in seconds) to force reboot when required for policy changes to take effect" setting to organizational standards. CC ID 11243 | System hardening through configuration management | Configuration | |
| Configure the "Timeout for fast user switching events" setting to organizational standards. CC ID 11244 | System hardening through configuration management | Configuration | |
| Configure the "Traps for public community" setting to organizational standards. CC ID 11246 | System hardening through configuration management | Configuration | |
| Configure the "Trusted Hosts" setting to organizational standards. CC ID 11249 | System hardening through configuration management | Configuration | |
| Configure the "Try Next Closest Site" setting to organizational standards. CC ID 11250 | System hardening through configuration management | Configuration | |
| Configure the "TTL Set in the A and PTR records" setting to organizational standards. CC ID 11251 | System hardening through configuration management | Configuration | |
| Configure the "Turn on Accounting for WSRM" setting to organizational standards. CC ID 11333 | System hardening through configuration management | Configuration | |
| Configure the "Turn on BranchCache" setting to organizational standards. CC ID 11334 | System hardening through configuration management | Configuration | |
| Configure the "Turn on certificate propagation from smart card" setting to organizational standards. CC ID 11335 | System hardening through configuration management | Configuration | |
| Configure the "Turn On Compatibility HTTP Listener" setting to organizational standards. CC ID 11336 | System hardening through configuration management | Configuration | |
| Configure the "Turn On Compatibility HTTPS Listener" setting to organizational standards. CC ID 11337 | System hardening through configuration management | Configuration | |
| Configure the "Turn on definition updates through both WSUS and the Microsoft Malware Protection Center" setting to organizational standards. CC ID 11338 | System hardening through configuration management | Configuration | |
| Configure the "Turn on definition updates through both WSUS and Windows Update" setting to organizational standards. CC ID 11339 | System hardening through configuration management | Configuration | |
| Configure the "Turn on economical application of administratively assigned Offline Files" setting to organizational standards. CC ID 11342 | System hardening through configuration management | Configuration | |
| Configure the "Turn on Mapper I/O (LLTDIO) driver" setting to organizational standards. CC ID 11346 | System hardening through configuration management | Configuration | |
| Configure the "Turn on recommended updates via Automatic Updates" setting to organizational standards. CC ID 11347 | System hardening through configuration management | Configuration | |
| Configure the "Turn on root certificate propagation from smart card" setting to organizational standards. CC ID 11349 | System hardening through configuration management | Configuration | |
| Configure the "Turn on Software Notifications" setting to organizational standards. CC ID 11352 | System hardening through configuration management | Configuration | |
| Configure the "Turn on TPM backup to Active Directory Domain Services" setting to organizational standards. CC ID 11356 | System hardening through configuration management | Configuration | |
| Configure the "Use forest search order" setting for "Key Distribution Center (KDC) searches" to organizational standards. CC ID 11359 | System hardening through configuration management | Configuration | |
| Configure the "Use forest search order" setting for "Kerberos client searches" to organizational standards. CC ID 11360 | System hardening through configuration management | Configuration | |
| Configure the "Use IP Address Redirection" setting to organizational standards. CC ID 11361 | System hardening through configuration management | Configuration | |
| Configure the "Use localized subfolder names when redirecting Start Menu and My Documents" setting to organizational standards. CC ID 11362 | System hardening through configuration management | Configuration | |
| Configure the "Use mandatory profiles on the RD Session Host server" setting to organizational standards. CC ID 11363 | System hardening through configuration management | Configuration | |
| Configure the "Verbose vs normal status messages" setting to organizational standards. CC ID 11368 | System hardening through configuration management | Configuration | |
| Configure the "Verify old and new Folder Redirection targets point to the same share before redirecting" setting to organizational standards. CC ID 11369 | System hardening through configuration management | Configuration | |
| Configure the "Windows Scaling Heuristics State" setting to organizational standards. CC ID 11372 | System hardening through configuration management | Configuration | |
| Configure the "Obtain Software Package Updates with apt-get" setting to organizational standards. CC ID 11375 | System hardening through configuration management | Configuration | |
| Configure the "display a banner before authentication" setting for "LightDM" to organizational standards. CC ID 11385 | System hardening through configuration management | Configuration | |
| Configure the "shadow" group to organizational standards. CC ID 11386 | System hardening through configuration management | Configuration | |
| Configure the "AppArmor" setting to organizational standards. CC ID 11387 | System hardening through configuration management | Configuration | |
| Configure the system account settings and the permission settings in accordance with the organizational standards. CC ID 01538 | System hardening through configuration management | Configuration | |
| Configure user accounts. CC ID 07036 | System hardening through configuration management | Configuration | |
| Remove unnecessary default accounts. CC ID 01539 [Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network. 2.1] | System hardening through configuration management | Configuration | |
| Disable all unnecessary user identifiers. CC ID 02185 [Do not use group, shared, or generic IDs, passwords, or other authentication methods as follows: - Generic user IDs are disabled or removed. - Shared user IDs do not exist for system administration and other critical functions. - Shared and generic user IDs are not used to administer any system components. 8.5] | System hardening through configuration management | Configuration | |
| Remove unnecessary user credentials. CC ID 16409 | System hardening through configuration management | Configuration | |
| Remove the root user as appropriate. CC ID 01582 | System hardening through configuration management | Configuration | |
| Disable or remove the null account. CC ID 06572 | System hardening through configuration management | Configuration | |
| Configure accounts with administrative privilege. CC ID 07033 | System hardening through configuration management | Configuration | |
| Encrypt non-console administrative access. CC ID 00883 [Encrypt all non-console administrative access using strong cryptography. 2.3] | System hardening through configuration management | Configuration | |
| Invoke a strong encryption method before requesting an authenticator. CC ID 11986 | System hardening through configuration management | Technical Security | |
| Configure the time server in accordance with organizational standards. CC ID 06426 | System hardening through configuration management | Configuration | |
| Configure the time server to synchronize with specifically designated hosts. CC ID 06427 [Configure the time servers to ensure Time settings are received from industry-accepted time sources. 10.4.3] | System hardening through configuration management | Configuration | |
| Restrict access to time server configuration to personnel with a business need. CC ID 06858 [Restrict access to time server configurations to ensure Time data is protected. 10.4.2] | System hardening through configuration management | Configuration | |
| Configure Account settings in accordance with organizational standards. CC ID 07603 | System hardening through configuration management | Configuration | |
| Configure the "Account lockout threshold" to organizational standards. CC ID 07604 [{configure} {account lockout threshold} Limit repeated access attempts by locking out the user ID after not more than six attempts. 8.1.6] | System hardening through configuration management | Configuration | |
| Configure the "Account lockout duration" to organizational standards. CC ID 07771 [Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID. 8.1.7] | System hardening through configuration management | Configuration | |
| Configure Logging settings in accordance with organizational standards. CC ID 07611 | System hardening through configuration management | Configuration | |
| Configure the security parameters for all logs. CC ID 01712 | System hardening through configuration management | Configuration | |
| Configure the detailed data elements to be captured for all logs so that events are identified by type, location, subject, user, what data was accessed, etc. CC ID 06331 | System hardening through configuration management | Configuration | |
| Configure the log to capture the user's identification. CC ID 01334 [Configure the audit log to capture the following event for all system components: User identification 10.3.1] | System hardening through configuration management | Configuration | |
| Configure the log to capture a date and time stamp. CC ID 01336 [Configure the audit log to capture the following event for all system components: Date and time 10.3.3] | System hardening through configuration management | Configuration | |
| Configure the log to uniquely identify each asset. CC ID 01339 [Configure the audit log to capture the following event for all system components: Identity or name of affected data, system component, or resource. 10.3.6] | System hardening through configuration management | Configuration | |
| Configure the log to capture the type of each event. CC ID 06423 [Configure the audit log to capture the following event for all system components: Type of event 10.3.2] | System hardening through configuration management | Configuration | |
| Configure the log to capture each event's success or failure indication. CC ID 06424 [Configure the audit log to capture the following event for all system components: Success or failure indication 10.3.4] | System hardening through configuration management | Configuration | |
| Configure all logs to capture auditable events or actionable events. CC ID 06332 | System hardening through configuration management | Configuration | |
| Configure the log to capture configuration changes. CC ID 06881 | System hardening through configuration management | Configuration | |
| Configure Key, Certificate, Password, Authentication and Identity Management settings in accordance with organizational standards. CC ID 07621 | System hardening through configuration management | Configuration | |
| Configure the "Maximum password age" to organizational standards. CC ID 07688 [{maximum password age} Change user passwords/passphrases at least once every 90 days. 8.2.4] | System hardening through configuration management | Configuration | |
| Configure the "Minimum password length" to organizational standards. CC ID 07711 [{passphrase} {complexity} {configure} Passwords/phrases must meet the following: - Require a minimum length of at least seven characters. - Contain both numeric and alphabetic characters. 8.2.3] | System hardening through configuration management | Configuration | |
| Configure the "Password must meet complexity requirements" to organizational standards. CC ID 07743 [{passphrase} {complexity} {configure} Passwords/phrases must meet the following: - Require a minimum length of at least seven characters. - Contain both numeric and alphabetic characters. 8.2.3] | System hardening through configuration management | Configuration | |
| Configure the "Enforce password history" to organizational standards. CC ID 07877 [{passphrase} {configure} {password history} Do not allow an individual to submit a new password/phrase that is the same as any of the last four passwords/phrases he or she has used. 8.2.5] | System hardening through configuration management | Configuration | |
| Configure security and protection software according to Organizational Standards. CC ID 11917 | System hardening through configuration management | Configuration | |
| Configure security and protection software to automatically run at startup. CC ID 12443 [Ensure that anti-virus mechanisms are actively verb">running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period. 5.3] | System hardening through configuration management | Configuration | |
| Configure security and protection software to enable automatic updates. CC ID 11945 [Protect all systems against malware and regularly update anti-virus software or programs. Requirement 5] | System hardening through configuration management | Configuration | |
| Configure File Integrity Monitoring Software to Organizational Standards. CC ID 11923 | System hardening through configuration management | Configuration | |
| Configure the file integrity monitoring software to perform critical file comparisons, as necessary. CC ID 11924 [Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly. 11.5] | System hardening through configuration management | Configuration | |
| Establish, implement, and maintain records management policies. CC ID 00903 | Records management | Establish/Maintain Documentation | |
| Determine how long to keep records and logs before disposing them. CC ID 11661 [{legal requirement} {regulatory requirement} Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes that include at least the following for all cardholder data (CHD) storage: - Limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements - Specific retention requirements for cardholder data - Processes for secure deletion of data when no longer needed - A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention. 3.1 {legal requirement} {regulatory requirement} Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes that include at least the following for all cardholder data (CHD) storage: - Limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements - Specific retention requirements for cardholder data - Processes for secure deletion of data when no longer needed - A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention. 3.1] | Records management | Process or Activity | |
| Retain records in accordance with applicable requirements. CC ID 00968 [Ensure that all anti-virus mechanisms are maintained as follows: - Are kept current, - Perform periodic scans - Generate audit logs which are retained per PCI DSS Requirement 10.7. 5.2] | Records management | Records Management | |
| Establish, implement, and maintain storage media disposition and destruction procedures. CC ID 11657 | Records management | Establish/Maintain Documentation | |
| Manage waste materials in accordance with the storage media disposition and destruction procedures. CC ID 16485 | Records management | Process or Activity | |
| Use approved media sanitization equipment for destruction. CC ID 16459 | Records management | Business Processes | |
| Define each system's disposition requirements for records and logs. CC ID 11651 | Records management | Process or Activity | |
| Establish, implement, and maintain records disposition procedures. CC ID 00971 | Records management | Establish/Maintain Documentation | |
| Manage the disposition status for all records. CC ID 00972 [{legal requirement} {regulatory requirement} Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes that include at least the following for all cardholder data (CHD) storage: - Limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements - Specific retention requirements for cardholder data - Processes for secure deletion of data when no longer needed - A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention. 3.1] | Records management | Records Management | |
| Use a second person to confirm and sign-off that manually deleted data was deleted. CC ID 12313 | Records management | Data and Information Management | |
| Remove and/or destroy records according to the records' retention event and retention period schedule. CC ID 06621 | Records management | Records Management | |
| Place printed records awaiting destruction into secure containers. CC ID 12464 [Shred, incinerate, or pulp hard-copy materials so that cardholder data cannot be reconstructed. Secure storage containers used for materials that are to be m_secondary-verb">destroyed. 9.8.1] | Records management | Physical and Environmental Protection | |
| Destroy printed records so they cannot be reconstructed. CC ID 11779 [Shred, incinerate, or pulp hard-copy materials so that cardholder data cannot be reconstructed. Secure storage containers used for materials that are to be destroyed. 9.8.1] | Records management | Physical and Environmental Protection | |
| Include methods to identify records that meet or exceed the record's retention event in the records disposition procedures. CC ID 11962 [{legal requirement} {regulatory requirement} Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes that include at least the following for all cardholder data (CHD) storage: - Limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements - Specific retention requirements for cardholder data - Processes for secure deletion of data when no longer needed - A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention. 3.1] | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a System Development Life Cycle program. CC ID 11823 [{make known} Ensure that security policies and operational procedures for developing and maintaining secure systems and applications are documented, in use, and known to all affected parties. 6.7] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include management commitment to secure development in the System Development Life Cycle program. CC ID 16386 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Perform a feasibility study for product requests. CC ID 06895 | Systems design, build, and implementation | Acquisition/Sale of Assets or Services | |
| Prioritize opportunities to improve the product and service lifecycle process. CC ID 06898 | Systems design, build, and implementation | Acquisition/Sale of Assets or Services | |
| Assign senior management to approve the cost benefit analysis in the feasibility study. CC ID 13069 | Systems design, build, and implementation | Human Resources Management | |
| Update the system design, build, and implementation methodology to incorporate emerging standards. CC ID 07045 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include information security throughout the system development life cycle. CC ID 12042 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Protect confidential information during the system development life cycle program. CC ID 13479 | Systems design, build, and implementation | Data and Information Management | |
| Disseminate and communicate the System Development Life Cycle program to all interested personnel and affected parties. CC ID 15469 | Systems design, build, and implementation | Communicate | |
| Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Develop systems in accordance with the system design specifications and system design standards. CC ID 01094 [Develop and maintain secure systems and applications. Requirement 6] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain outsourced development procedures. CC ID 01141 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Protect stored manufacturing components prior to assembly. CC ID 12248 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Store manufacturing components in a controlled access area. CC ID 12256 | Systems design, build, and implementation | Physical and Environmental Protection | |
| Develop new products based on best practices. CC ID 01095 [Develop internal and external software applications (including web-based administrative access to applications) securely, as follows: - In accordance with PCI DSS (for example, secure authentication and logging) - Based on industry standards and/or best practices. - Incorporating information security throughout the software-development life cycle. 6.3 Develop internal and external software applications (including web-based administrative access to applications) securely, as follows: - In accordance with PCI DSS (for example, secure authentication and logging) - Based on industry standards and/or best practices. - Incorporating information security throughout the software-development life cycle. 6.3] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain a system design specification. CC ID 04557 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Document the system architecture in the system design specification. CC ID 12287 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include hardware requirements in the system design specification. CC ID 08666 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include communication links in the system design specification. CC ID 08665 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include a description of each module and asset in the system design specification. CC ID 11734 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include supporting software requirements in the system design specification. CC ID 08664 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish and maintain Application Programming Interface documentation. CC ID 12203 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include configuration options in the Application Programming Interface documentation. CC ID 12205 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include the logical data flows and process steps in the system design specification. CC ID 08668 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish and maintain the system design specification in a manner that is clear and easy to read. CC ID 12286 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include threat models in the system design specification. CC ID 06829 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include security requirements in the system design specification. CC ID 06826 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain access control procedures for the test environment that match those of the production environment. CC ID 06793 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain identification card or badge architectural designs. CC ID 06591 | Systems design, build, and implementation | Process or Activity | |
| Define the physical requirements for identification cards or badges in the identification card or badge architectural designs. CC ID 06592 | Systems design, build, and implementation | Process or Activity | |
| Define the mandatory items that must appear on identification cards or badges in the identification card or badge architectural designs. CC ID 06593 | Systems design, build, and implementation | Process or Activity | |
| Define the data elements to be stored on identification cards or badges in the identification card or badge architectural designs. CC ID 15427 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Define the optional items that may appear on identification cards or badges in the identification card or badge architectural designs. CC ID 06594 | Systems design, build, and implementation | Process or Activity | |
| Include security measures in the identification card or badge architectural designs. CC ID 15423 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include the logical credential data model for identification cards or badges in the identification card or badge architectural designs. CC ID 06595 | Systems design, build, and implementation | Process or Activity | |
| Establish, implement, and maintain payment card architectural designs. CC ID 16132 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain coding guidelines. CC ID 08661 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Nest elements appropriately in website content using markup languages. CC ID 15154 | Systems design, build, and implementation | Configuration | |
| Use valid HTML or other markup languages. CC ID 15153 | Systems design, build, and implementation | Configuration | |
| Establish, implement, and maintain human interface guidelines. CC ID 08662 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Ensure users can navigate content. CC ID 15163 | Systems design, build, and implementation | Configuration | |
| Create text content using language that is readable and is understandable. CC ID 15167 | Systems design, build, and implementation | Configuration | |
| Ensure user interface components are operable. CC ID 15162 | Systems design, build, and implementation | Configuration | |
| Implement mechanisms to review, confirm, and correct user submissions. CC ID 15160 | Systems design, build, and implementation | Configuration | |
| Allow users to reverse submissions. CC ID 15168 | Systems design, build, and implementation | Configuration | |
| Provide a mechanism to control audio. CC ID 15158 | Systems design, build, and implementation | Configuration | |
| Allow modification of style properties without loss of content or functionality. CC ID 15156 | Systems design, build, and implementation | Configuration | |
| Programmatically determine the name and role of user interface components. CC ID 15148 | Systems design, build, and implementation | Configuration | |
| Programmatically determine the language of content. CC ID 15137 | Systems design, build, and implementation | Configuration | |
| Provide a mechanism to dismiss content triggered by mouseover or keyboard focus. CC ID 15164 | Systems design, build, and implementation | Configuration | |
| Configure repeated navigational mechanisms to occur in the same order unless overridden by the user. CC ID 15166 | Systems design, build, and implementation | Configuration | |
| Refrain from activating a change of context when changing the setting of user interface components, as necessary. CC ID 15165 | Systems design, build, and implementation | Configuration | |
| Provide users a mechanism to remap keyboard shortcuts. CC ID 15133 | Systems design, build, and implementation | Configuration | |
| Identify the components in a set of web pages that consistently have the same functionality. CC ID 15116 | Systems design, build, and implementation | Process or Activity | |
| Provide captions for live audio content. CC ID 15120 | Systems design, build, and implementation | Configuration | |
| Programmatically determine the purpose of each data field that collects information from the user. CC ID 15114 | Systems design, build, and implementation | Configuration | |
| Provide labels or instructions when content requires user input. CC ID 15077 | Systems design, build, and implementation | Configuration | |
| Allow users to control auto-updating information, as necessary. CC ID 15159 | Systems design, build, and implementation | Configuration | |
| Use headings on all web pages and labels in all content that describes the topic or purpose. CC ID 15070 | Systems design, build, and implementation | Configuration | |
| Display website content triggered by mouseover or keyboard focus. CC ID 15152 | Systems design, build, and implementation | Configuration | |
| Ensure the purpose of links can be determined through the link text. CC ID 15157 | Systems design, build, and implementation | Configuration | |
| Use a unique title that describes the topic or purpose for each web page. CC ID 15069 | Systems design, build, and implementation | Configuration | |
| Allow the use of time limits, as necessary. CC ID 15155 | Systems design, build, and implementation | Configuration | |
| Include mechanisms for changing authenticators in human interface guidelines. CC ID 14944 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Refrain from activating a change of context in a user interface component. CC ID 15115 | Systems design, build, and implementation | Configuration | |
| Include functionality for managing user data in human interface guidelines. CC ID 14928 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish and maintain User Interface documentation. CC ID 12204 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include system messages in human interface guidelines. CC ID 08663 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include measurable system performance requirements in the system design specification. CC ID 08667 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include the data structure in the system design specification. CC ID 08669 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include the input and output variables in the system design specification. CC ID 08670 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include data encryption information in the system design specification. CC ID 12209 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include records disposition information in the system design specification. CC ID 12208 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include how data is managed in each module in the system design specification. CC ID 12207 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include identifying restricted data in the system design specification. CC ID 12206 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Assign appropriate parties to approve the system design specification. CC ID 13070 | Systems design, build, and implementation | Human Resources Management | |
| Disseminate and communicate the system design specification to all interested personnel and affected parties. CC ID 15468 | Systems design, build, and implementation | Communicate | |
| Implement data controls when developing systems. CC ID 15302 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Implement security controls when developing systems. CC ID 06270 [Develop internal and external software applications (including web-based administrative access to applications) securely, as follows: - In accordance with PCI DSS (for example, secure authentication and logging) - Based on industry standards and/or best practices. - Incorporating information security throughout the software-development life cycle. 6.3] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include restricted data encryption and restricted information encryption in the security controls. CC ID 01083 | Systems design, build, and implementation | Technical Security | |
| Analyze and minimize attack surfaces when developing systems. CC ID 06828 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Require successful authentication before granting access to system functionality via network interfaces. CC ID 14926 | Systems design, build, and implementation | Technical Security | |
| Implement a hardware security module, as necessary. CC ID 12222 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Require dual authentication when switching out of PCI mode in the hardware security module. CC ID 12274 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include an indicator to designate when the hardware security module is in PCI mode. CC ID 12273 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Design the random number generator to generate random numbers that are unpredictable. CC ID 12255 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Design the hardware security module to enforce the separation between applications. CC ID 12254 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Protect sensitive data when transiting sensitive services in the hardware security module. CC ID 12253 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Design the hardware security module to automatically clear its internal buffers of sensitive information prior to reuse of the buffer. CC ID 12233 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Design the hardware security module to automatically clear its internal buffers of sensitive information after it recovers from an error condition. CC ID 12252 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Design the hardware security module to automatically clear its internal buffers of sensitive information when it has timed out. CC ID 12251 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Design the hardware security module to erase sensitive data when compromised. CC ID 12275 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Restrict key-usage information for cryptographic keys in the hardware security module. CC ID 12232 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Prevent cryptographic keys in the hardware security module from making unauthorized changes to data. CC ID 12231 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include in the system documentation methodologies for authenticating the hardware security module. CC ID 12258 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Protect sensitive information within the hardware security module from unauthorized changes. CC ID 12225 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Prohibit sensitive functions from working outside of protected areas of the hardware security module. CC ID 12224 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain an acceptable use policy for the hardware security module. CC ID 12247 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include roles and responsibilities in the acceptable use policy for the hardware security module. CC ID 12264 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include the environmental requirements in the acceptable use policy for the hardware security module. CC ID 12263 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include device identification in the acceptable use policy for the hardware security module. CC ID 12262 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include device functionality in the acceptable use policy for the hardware security module. CC ID 12261 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include administrative responsibilities in the acceptable use policy for the hardware security module. CC ID 12260 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Install secret information into the hardware security module during manufacturing. CC ID 12249 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Install secret information into the hardware security module so that it can only be verified by the initial-key-loading facility. CC ID 12272 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Install secret information under dual control into the hardware security module. CC ID 12257 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain session security coding standards. CC ID 04584 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish and maintain a cryptographic architecture document. CC ID 12476 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include the algorithms used in the cryptographic architecture document. CC ID 12483 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include an inventory of all protected areas in the cryptographic architecture document. CC ID 12486 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include a description of the key usage for each key in the cryptographic architecture document. CC ID 12484 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include descriptions of all cryptographic keys in the cryptographic architecture document. CC ID 12487 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include descriptions of the cryptographic key strength of all cryptographic keys in the cryptographic architecture document. CC ID 12488 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include each cryptographic key's expiration date in the cryptographic architecture document. CC ID 12489 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include the protocols used in the cryptographic architecture document. CC ID 12485 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain secure update mechanisms. CC ID 14923 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Implement cryptographic mechanisms to authenticate software updates before installation. CC ID 14925 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Automate secure update mechanisms, as necessary. CC ID 14933 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Follow security design requirements when developing systems. CC ID 06827 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Prevent unnecessary information from being added to client-side scripting languages. CC ID 07073 | Systems design, build, and implementation | Data and Information Management | |
| Use randomly generated session identifiers. CC ID 07074 | Systems design, build, and implementation | Technical Security | |
| Identify multi-project interfaces and dependencies. CC ID 06902 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain a system implementation representation document. CC ID 04558 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include the source code in the implementation representation document. CC ID 13089 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include the hardware schematics in the implementation representation document. CC ID 13098 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Design the security architecture. CC ID 06269 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Limit the embedding of data types inside other data types. CC ID 06759 | Systems design, build, and implementation | Technical Security | |
| Run sensitive workloads in Trusted Execution Environments. CC ID 16853 | Systems design, build, and implementation | Process or Activity | |
| Design the privacy architecture. CC ID 14671 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Review and update the privacy architecture, as necessary. CC ID 14674 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Convert workflow charts and diagrams into machine readable code. CC ID 14865 | Systems design, build, and implementation | Process or Activity | |
| Implement software development version controls. CC ID 01098 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Protect system libraries. CC ID 01097 | Systems design, build, and implementation | Technical Security | |
| Follow the system development process when upgrading a system. CC ID 01059 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Protect application program libraries. CC ID 11762 | Systems design, build, and implementation | Technical Security | |
| Include the Evaluation Assurance Levels in the system design specification. CC ID 04561 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Approve the design methodology before moving forward on the system design project. CC ID 01060 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Protect source code in accordance with organizational requirements. CC ID 16855 | Systems design, build, and implementation | Technical Security | |
| Identify and redesign unsafe functions when developing systems. CC ID 06831 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Establish and maintain system security documentation. CC ID 06271 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Document the procedures and environment used to create the system or software. CC ID 06609 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Transmit source code securely. CC ID 06397 | Systems design, build, and implementation | Data and Information Management | |
| Digitally sign software components. CC ID 16490 | Systems design, build, and implementation | Process or Activity | |
| Establish and maintain access rights to source code based upon least privilege. CC ID 06962 | Systems design, build, and implementation | Technical Security | |
| Develop new products based on secure coding techniques. CC ID 11733 [Address common coding vulnerabilities in software-development processes as follows: - Train developers in secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory. - Develop applications based on secure coding guidelines. 6.5 {assign}{correct} Review custom code prior to release to production or customers in order to identify any potential coding vulnerability (using either manual or automated processes) to include at least the following: - Code changes are reviewed by individuals other than the originating code author, and by individuals knowledgeable about code-review techniques and secure coding practices. - Code reviews ensure code is developed according to secure coding guidelines - Appropriate corrections are implemented prior to release. - Code-review results are reviewed and approved by management prior to release. 6.3.2] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Establish and maintain a coding manual for secure coding techniques. CC ID 11863 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Protect applications from insufficient anti-automation through secure coding techniques in source code. CC ID 16854 | Systems design, build, and implementation | Technical Security | |
| Protect applications from improper access control through secure coding techniques in source code. CC ID 11959 [Include in the coding manual how to protect applications from Improper access control (such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions). 6.5.8] | Systems design, build, and implementation | Technical Security | |
| Protect applications from improper error handling through secure coding techniques in source code. CC ID 11937 [Include in the coding manual how to protect applications from Improper error handling 6.5.5] | Systems design, build, and implementation | Technical Security | |
| Protect applications from insecure communications through secure coding techniques in source code. CC ID 11936 [Include in the coding manual how to protect applications from Insecure communications 6.5.4] | Systems design, build, and implementation | Technical Security | |
| Protect applications from attacks on business logic through secure coding techniques in source code. CC ID 15472 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Protect applications from XML external entities through secure coding techniques in source code. CC ID 14806 | Systems design, build, and implementation | Technical Security | |
| Protect applications from insecure deserialization through secure coding techniques in source code. CC ID 14805 | Systems design, build, and implementation | Technical Security | |
| Refrain from hard-coding security parameters in source code. CC ID 14917 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Refrain from hard-coding usernames in source code. CC ID 06561 | Systems design, build, and implementation | Technical Security | |
| Refrain from hard-coding authenticators in source code. CC ID 11829 | Systems design, build, and implementation | Technical Security | |
| Refrain from hard-coding cryptographic keys in source code. CC ID 12307 | Systems design, build, and implementation | Technical Security | |
| Protect applications from injection flaws through secure coding techniques in source code. CC ID 11944 [Include in the coding manual how to protect applications from Injection flaws, particularly SQL injection. Also consider OS Command Injection, LDAP and XPath injection flaws as well as other injection flaws. 6.5.1] | Systems design, build, and implementation | Technical Security | |
| Protect applications from attacks on data and data structures through secure coding techniques in source code. CC ID 15482 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Control user account management through secure coding techniques in source code. CC ID 11909 [All access to any database containing cardholder data (including access by applications, administrators, and all other users) is restricted as follows: - All user access to, user queries of, and user actions on databases are through programmatic methods. - Only database administrators have the ability to directly access or query databases. - Application IDs for database applications can only be used by the applications (and not by individual users or other non-application processes). 8.7] | Systems design, build, and implementation | Technical Security | |
| Restrict direct access of databases to the database administrator through secure coding techniques in source code. CC ID 11933 [All access to any database containing cardholder data (including access by applications, administrators, and all other users) is restricted as follows: - All user access to, user queries of, and user actions on databases are through programmatic methods. - Only database administrators have the ability to directly access or query databases. - Application IDs for database applications can only be used by the applications (and not by individual users or other non-application processes). 8.7] | Systems design, build, and implementation | Technical Security | |
| Protect applications from buffer overflows through secure coding techniques in source code. CC ID 11943 [Include in the coding manual how to protect applications from Buffer overflows. 6.5.2] | Systems design, build, and implementation | Technical Security | |
| Protect applications from cross-site scripting through secure coding techniques in source code. CC ID 11899 [Include in the coding manual how to protect applications from Cross-site scripting (XSS) 6.5.7] | Systems design, build, and implementation | Process or Activity | |
| Protect against coding vulnerabilities through secure coding techniques in source code. CC ID 11897 [Use a coding manual to protect against coding vulnerabilities such as All "high risk" vulnerabilities identified in the vulnerability identification process (as defined in PCI DSS Requirement 6.1). 6.5.6] | Systems design, build, and implementation | Process or Activity | |
| Protect applications from broken authentication and session management through secure coding techniques in source code. CC ID 11896 [Include in the coding manual how to protect applications from Broken authentication and session management 6.5.10] | Systems design, build, and implementation | Process or Activity | |
| Protect applications from insecure cryptographic storage through secure coding techniques in source code. CC ID 11935 [Include in the coding manual how to protect applications from Insecure cryptographic storage 6.5.3] | Systems design, build, and implementation | Technical Security | |
| Protect applications from cross-site request forgery through secure coding techniques in source code. CC ID 11895 [Include in the coding manual how to protect applications from Cross-site request forgery (CSRF) 6.5.9] | Systems design, build, and implementation | Process or Activity | |
| Protect databases from unauthorized database management actions through secure coding techniques in source code. CC ID 12049 | Systems design, build, and implementation | Technical Security | |
| Refrain from displaying error messages to end users through secure coding techniques in source code. CC ID 12166 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Configure software development tools in accordance with organizational standards. CC ID 16387 | Systems design, build, and implementation | Configuration | |
| Standardize Application Programming Interfaces. CC ID 12167 | Systems design, build, and implementation | Technical Security | |
| Include all confidentiality, integrity, and availability functions in the system design specification. CC ID 04556 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include the relationships and dependencies between modules in the system design specification. CC ID 04559 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain a security policy model document. CC ID 04560 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain system testing procedures. CC ID 11744 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Assign the review of custom code changes to individuals other than the code author. CC ID 06291 [{assign}{correct} Review custom code prior to release to production or customers in order to identify any potential coding vulnerability (using either manual or automated processes) to include at least the following: - Code changes are reviewed by individuals other than the originating code author, and by individuals knowledgeable about code-review techniques and secure coding practices. - Code reviews ensure code is developed according to secure coding guidelines - Appropriate corrections are implemented prior to release. - Code-review results are reviewed and approved by management prior to release. 6.3.2] | Systems design, build, and implementation | Establish Roles | |
| Evaluate and document all known code anomalies and code deficiencies. CC ID 06611 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Initiate the System Development Life Cycle implementation phase. CC ID 06268 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Manage the system implementation process. CC ID 01115 | Systems design, build, and implementation | Behavior | |
| Establish, implement, and maintain promoting the system to a production environment procedures. CC ID 01119 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Remove test data prior to promoting the system to a production environment. CC ID 12494 [Remove development, test and/or custom application accounts, user IDs, and passwords before applications become active or are released to customers. 6.3.1 {remove} The change control processes must include Removal of test data and accounts before production systems become active. 6.4.4] | Systems design, build, and implementation | Business Processes | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Display or print the least amount of personal data necessary. CC ID 04643 [Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see the full PAN. 3.3] | Privacy protection for information and data | Data and Information Management | |
| Redact confidential information from public information, as necessary. CC ID 06872 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 [{primary account number} Never send unprotected PANs by end-user messaging technologies (for example, e-mail, instant messaging, SMS, chat, etc.). 4.2] | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 | Privacy protection for information and data | Data and Information Management | |
| Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 [Do not store the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card used to verify card-not-present transactions) after authorization. 3.2.2 Do not store sensitive authentication data after authorization (even if encrypted). If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process. 3.2 Do not store the personal identification number (PIN) or the encrypted PIN block after authorization. 3.2.3] | Privacy protection for information and data | Configuration | |
| Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 [Do not store sensitive authentication data after authorization (even if encrypted). If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process. 3.2] | Privacy protection for information and data | Technical Security | |
| Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 [Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: - One-way hashes based on strong cryptography, (hash must be of the entire PAN) - Truncation (hashing cannot be used to replace the truncated segment of PAN) - Index tokens and pads (pads must be securely stored) - Strong cryptography with associated key-management processes and procedures. 3.4] | Privacy protection for information and data | Technical Security | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 [Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows: 12.8] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Review and update all contracts, as necessary. CC ID 11612 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Document and maintain supply chain processes. CC ID 08816 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain an exit plan. CC ID 15492 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include roles and responsibilities in the exit plan. CC ID 15497 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Test the exit plan, as necessary. CC ID 15495 | Third Party and supply chain oversight | Testing | |
| Include contingency plans in the third party management plan. CC ID 10030 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Refrain from placing excessive reliance on third parties that provide support for service continuity. CC ID 12768 | Third Party and supply chain oversight | Systems Continuity | |
| Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a description of the product or service to be provided in third party contracts. CC ID 06509 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a description of the products or services fees in third party contracts. CC ID 10018 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include which parties are responsible for which fees in third party contracts. CC ID 10019 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the type of information being transmitted in the information flow agreement. CC ID 14245 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the security requirements in the information flow agreement. CC ID 14244 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the interface characteristics in the information flow agreement. CC ID 14240 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a description of the data or information to be covered in third party contracts. CC ID 06510 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 | Third Party and supply chain oversight | Business Processes | |
| Include text about data ownership in third party contracts. CC ID 06502 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the contract duration in third party contracts. CC ID 16221 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include roles and responsibilities in third party contracts. CC ID 13487 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include cryptographic keys in third party contracts. CC ID 16179 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include bankruptcy provisions in third party contracts. CC ID 16519 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a reporting structure in third party contracts. CC ID 06532 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include points of contact in third party contracts. CC ID 12355 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include financial reporting in third party contracts, as necessary. CC ID 13573 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include training requirements in third party contracts. CC ID 16367 | Third Party and supply chain oversight | Acquisition/Sale of Assets or Services | |
| Include an indemnification and liability clause in third party contracts. CC ID 06517 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text regarding foreign-based third parties in third party contracts. CC ID 06722 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include change control clauses in third party contracts, as necessary. CC ID 06523 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include triggers for renegotiating the contract in third party contracts. CC ID 06527 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include change control notification processes in third party contracts. CC ID 06524 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include cost structure changes in third party contracts. CC ID 10021 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a choice of venue clause in third party contracts. CC ID 06520 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a dispute resolution clause in third party contracts. CC ID 06519 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include early termination contingency plans in the third party contracts. CC ID 06526 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include termination costs in third party contracts. CC ID 10023 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text about obtaining adequate insurance in third party contracts. CC ID 06880 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include end-of-life information in third party contracts. CC ID 15265 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain third party transaction authentication procedures. CC ID 00791 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include disclosure requirements in third party contracts. CC ID 08825 | Third Party and supply chain oversight | Business Processes | |
| Include requirements for alternate processing facilities in third party contracts. CC ID 13059 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Document the organization's supply chain in the supply chain management program. CC ID 09958 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish and maintain a Third Party Service Provider list. CC ID 12480 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include required information in the Third Party Service Provider list. CC ID 14429 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include subcontractors in the Third Party Service Provider list. CC ID 14425 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include alternate service providers in the Third Party Service Provider list. CC ID 14420 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422 | Third Party and supply chain oversight | Communicate | |
| Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include all contract dates in the Third Party Service Provider list. CC ID 14421 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include criticality of services in the Third Party Service Provider list. CC ID 14428 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a description of data used in the Third Party Service Provider list. CC ID 14427 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the location of services provided in the Third Party Service Provider list. CC ID 14423 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Document supply chain transactions in the supply chain management program. CC ID 08857 | Third Party and supply chain oversight | Business Processes | |
| Document the supply chain's critical paths in the supply chain management program. CC ID 10032 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish and maintain supply chain manufacturing and integration requirements documents for all items being produced for the organization. CC ID 11558 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Disallow access to restricted information on machines used to manufacture authentication elements. CC ID 11561 | Third Party and supply chain oversight | Physical and Environmental Protection | |
| Establish, implement, and maintain Operational Level Agreements. CC ID 13637 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include technical processes in operational level agreements, as necessary. CC ID 13639 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838 | Third Party and supply chain oversight | Process or Activity | |
| Include the responsible party for managing complaints in third party contracts. CC ID 10022 | Third Party and supply chain oversight | Establish Roles | |
| Categorize all suppliers in the supply chain management program. CC ID 00792 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include risk management procedures in the supply chain management policy. CC ID 08811 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a determination of the complexity of the third party relationships in the supply chain risk assessment. CC ID 10024 | Third Party and supply chain oversight | Business Processes | |
| Include a determination of financial benefits over actual costs of third party relationships in the supply chain risk assessment report. CC ID 10025 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a determination of how third party relationships affect strategic initiatives in the supply chain risk assessment report. CC ID 10026 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a determination if the third party relationship will affect employees in the supply chain risk assessment report. CC ID 10027 | Third Party and supply chain oversight | Business Processes | |
| Include a determination of customer interactions with third parties in the supply chain risk assessment report. CC ID 10028 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain a supply chain management policy. CC ID 08808 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Require supply chain members to accept and sign the organization's code of conduct. CC ID 12397 | Third Party and supply chain oversight | Business Processes | |
| Require third parties to employ a Chief Information Security Officer. CC ID 12057 | Third Party and supply chain oversight | Human Resources Management | |
| Include supplier assessment principles in the supply chain management policy. CC ID 08809 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the third party selection process in the supply chain management policy. CC ID 13132 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Select suppliers based on their qualifications. CC ID 00795 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include refraining from depending on any individual third party in the supply chain management policy. CC ID 13133 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a clear management process in the supply chain management policy. CC ID 08810 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include roles and responsibilities in the supply chain management policy. CC ID 15499 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include third party due diligence standards in the supply chain management policy. CC ID 08812 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Disseminate and communicate the supply chain management policy to all interested personnel and affected parties. CC ID 15493 | Third Party and supply chain oversight | Communicate | |
| Require suppliers to commit to the supply chain management policy. CC ID 08813 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Support third parties in building their capabilities. CC ID 08814 | Third Party and supply chain oversight | Business Processes | |
| Implement measurable improvement plans with all third parties. CC ID 08815 | Third Party and supply chain oversight | Business Processes | |
| Post a list of compliant third parties on the organization's website. CC ID 08817 | Third Party and supply chain oversight | Business Processes | |
| Use third parties that are compliant with the applicable requirements. CC ID 08818 [Shared hosting providers must protect the cardholder data environment Requirement A.1] | Third Party and supply chain oversight | Business Processes | |
| Establish, implement, and maintain a conflict minerals policy. CC ID 08943 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a statement of avoided areas from receiving minerals in the conflict minerals policy. CC ID 08944 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include all in scope materials in the conflict minerals policy. CC ID 08945 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include adherence to international transportation regulations in the conflict minerals policy. CC ID 08946 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include all applicable authority documents in the conflict minerals policy. CC ID 08947 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Disseminate and communicate the conflict minerals policy to all interested personnel and affected parties. CC ID 08948 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Make the conflict minerals policy Publicly Available Information. CC ID 08949 | Third Party and supply chain oversight | Data and Information Management | |
| Establish and maintain a conflict materials report. CC ID 08823 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Define documentation requirements for each potential conflict material's source of origin. CC ID 08820 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Define documentation requirements for smelted minerals and legacy refined materials sources of origin. CC ID 08821 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Identify supply sources for secondary materials. CC ID 08822 | Third Party and supply chain oversight | Business Processes | |
| Deal directly with third parties that provide any material listed in the conflict materials report. CC ID 08891 | Third Party and supply chain oversight | Business Processes | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 | Third Party and supply chain oversight | Business Processes | |
| Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 | Third Party and supply chain oversight | Communicate | |
| Include the audit scope in the third party external audit report. CC ID 13138 | Third Party and supply chain oversight | Establish/Maintain Documentation | |